AUTHENTICATED 
US. GOVERNMENT 
INFORMATION ^ 


IMPROVING INTERNAL CONTROLS: A REVIEW OF 
CHANGES TO 0MB CIRCULAR A-123 


HEARING 


BEFORE THE 

SUBCOMMITTEE ON GO^^RNMENT MANAGEMENT, 
FINANCE, AND ACCOUNTABILITY 

OF THE 

COMMITTEE ON 
GOA^RNMENT REFORM 

HOUSE OF REPRESENTATRH]S 

ONE HUNDRED NINTH CONGRESS 

FIRST SESSION 

FEBRUARY 16, 2005 


Serial No. 109-16 


Printed for the use of the Committee on Government Reform 



Available via the World Wide Web: http://www.gpo.gov/congress/house 
http://www.house.gov/reform 


U.S. GOVERNMENT PRINTING OFFICE 
20-879 PDF WASHINGTON : 2005 


For sale by the Superintendent of Documents, U.S. Government Printing Office 
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 


COMMITTEE ON GOVERNMENT REFORM 

TOM DAVIS, Virginia, Chairman 


CHRISTOPHER SHAYS, Connecticut 
DAN BURTON, Indiana 
ILEANA ROS-LEHTINEN, Florida 
JOHN M. McHUGH, New York 
JOHN L. MICA, Florida 
GIL GUTKNECHT, Minnesota 
MARK E. SOUDER, Indiana 
STEVEN C. LaTOURETTE, Ohio 
TODD RUSSELL PLATTS, Pennsylvania 
CHRIS CANNON, Utah 
JOHN J. DUNCAN, jR., Tennessee 
CANDICE S. MILLER, Michigan 
MICHAEL R. TURNER, Ohio 
DARRELL E. ISSA, California 
GINNY BROWN-WAITE, Florida 
JON C. PORTER, Nevada 
KENNY MARCHANT, Texas 
LYNN A. WESTMORELAND, Georgia 
PATRICK T. McHENRY, North Carolina 
CHARLES W. DENT, Pennsylvania 
VIRGINIA FOXX, North Carolina 


HENRY A. WAXMAN, California 
TOM LANTOS, California 
MAJOR R. OWENS, New York 
EDOLPHUS TOWNS, New York 
PAUL E. KANJORSKI, Pennsylvania 
CAROLYN B. MALONEY, New York 
ELIJAH E. CUMMINGS, Maryland 
DENNIS J. KUCINICH, Ohio 
DANNY K. DAVIS, Illinois 
WM. LACY CLAY, Missouri 
DIANE E. WATSON, California 
STEPHEN F. LYNCH, Massachusetts 
CHRIS VAN HOLLEN, Maryland 
LINDA T. SANCHEZ, California 
C.A. DUTCH RUPPERSBERGER, Maryland 
BRIAN HIGGINS, New York 
ELEANOR HOLMES NORTON, District of 
Columbia 


BERNARD SANDERS, Vermont 
(Independent) 


Melissa Wojciak, Staff Director 
David Marin, Deputy Staff Director 
Rob Borden, Parliamentarian 
Teresa Austin, Chief Clerk 
Phil Barnett, Minority Chief of Staff! Chief Counsel 


Subcommittee on Government Management, Finance, and Accountability 


TODD RUSSELL PLATTS, Pennsylvania, Chairman 


VIRGINIA FOXX, North Carolina 
TOM DAVIS, Virginia 
GIL GUTKNECHT, Minnesota 
MARK E. SOUDER, Indiana 
JOHN J. DUNCAN, jR., Tennessee 


EDOLPHUS TOWNS, New York 
MAJOR R. OWENS, New York 
PAUL E. KANJORSKI, Pennsylvania 
CAROLYN B. MALONEY, New York 


Ex Officio 


HENRY A. WAXMAN, California 

Mike Hettinger, Staff Direetor 
Tabetha Mueller, Professional Staff Member 
Nathaniel Berry, Clerk 

Adam Bordes, Minority Professional Staff Member 


(II) 



CONTENTS 


Page 


Hearing held on February 16, 2005 1 

Statement of: 

Higgins, John P., Jr., Inspector General of the Department of Education .. 29 

Steinhoff, Jeffrey C., Managing Director, Financial Management and As- 
surance, U.S. Government Accountability Office 38 

Wolff, Otto J., Chief Financial Officer and Assistant Secretary for Admin- 
istration, U.S. Department of Commerce; Christopher B. Burnham, 


Acting Under Secretary for Management, Assistant Secretary for Re- 
source Management and Chief Financial Officer, U.S. Department of 
State; John P. Higgins, Jr., Inspector General, U.S. Department of 


Education; and Jeffrey C. Steinhoff, Managing Director of Financial 
Management and Assurance, U.S. Government Accountability Office .... 4 

Burnham, Christopher B 12 

Wolff, Otto J 4 

Letters, statements, etc., submitted for the record by: 

Burnham, Christopher B., Acting Under Secretary for Management, As- 
sistant Secretary for Resource Management and Chief Financial Offi- 
cer, U.S. Department of State, prepared statement of 14 

Higgins, John P., Jr., Inspector General of the Department of Education, 

prepared statement of 32 

Steinhoff, Jeffrey C., Managing Director, Financial Management and As- 
surance, U.S. Government Accountability Office, prepared statement 

of 41 

Wolff, Otto J., Chief Financial Officer and Assistant Secretary for Admin- 
istration, U.S. Department of Commerce, prepared statement of 7 


(III) 




IMPROVING INTERNAL CONTROLS: A REVIEW 
OF CHANGES TO OMB CIRCULAR A-123 


WEDNESDAY, FEBRUARY 16, 2005 

House of Representatives, 

Subcommittee on Government Management, 

Finance, and Accountability, 
Committee on Government Reform, 

Washington, DC. 

The subcommittee met, pursuant to notice, at 2 p.m., in room 
2247, Rayburn House Office Building, Hon. Todd Russell Platts 
(chairman of the committee) presiding. 

Present: Representatives Platts, Foxx, Towns, and Maloney. 

Staff present: Mike Hettinger, staff director; Dan Daly, counsel; 
Tabetha Mueller, professional staff member; Jessica Friedman, leg- 
islative assistant; Nathaniel Berry, clerk; Adam Bordes, minority 
professional staff member; and Jean Gosa, minority assistant clerk. 

Mr. Platts. A quorum being present, this hearing of the Govern- 
ment Reform Subcommittee on Government Management, Finance 
and Accountability will come to order. 

When accounting scandals shook the U.S. economy earlier this 
decade. Congress responded by placing stringent new accounting 
requirements on publicly traded companies. The legislation known 
as Sarbanes-Oxley put responsibility for financial information 
squarely in the hands of managers. To ensure that investors could 
rely on financial reports, Sarbanes-Oxley required companies to 
document the safeguards they have in place to prevent errors or 
fraud, commonly known as internal controls. 

Internal controls are the checks and balances that help managers 
detect and prevent problems. They can be as simple as computer 
passwords or having a manager sign off on a time sheet or as com- 
plex as installing software to track spending and detect spikes that 
signal trouble. Internal controls provide a foundation for account- 
ability, and while they are important in the private sector, sound 
internal controls are imperative in Government. Public trust de- 
pends on nothing less. 

Glaring internal control problems in the Federal Government 
have made headlines recently from the Office of Management and 
Budget’s reporting of $45 billion in mistaken payments throughout 
Government to soldiers being paid incorrectly while serving in 
harm’s way. When audits revealed egregious internal control prob- 
lems at the Department of Homeland Security, this subcommittee 
proposed and enacted legislation to require the Department to take 
responsibility for improving internal controls and to have an audi- 
tor attest to those improvements. 

( 1 ) 



2 


In light of this legislation and the standards for the private sec- 
tor under Sarbanes-Oxley, 0MB reexamined controls for Federal 
agencies. I want to applaud this administration for this forward 
looking action and for employing a collaborative approach using in- 
formation gleaned from a committee of agency chief financial offi- 
cers and inspector generals and working with the Government Ac- 
countability Office. 

As a result of this collaboration, the new guidance was issued in 
December of last year. Like Sarbanes-Oxley and the requirements 
at DHS, the revised guidance puts responsibility on agency man- 
agement and clearly defines the steps that need to be taken and 
documented to ensure that internal controls are sound. This hear- 
ing will look at what prompted these changes and how they will 
impact agency management. 

We are pleased to have a distinguished panel of witnesses with 
us here today who have played an instrumental role in developing 
these new guidelines. We have the Honorable Otto Wolff, CFO and 
Assistant Secretary for Administration at the Department of Com- 
merce and a member of the CFO Council; the Honorable Chris 
Burnham, Acting Under Secretary for Management, Assistant Sec- 
retary for Resource Management and CFO at the U.S. Department 
of State and a member of the CFO Council; and the Honorable 
Jack Higgins, Inspector General at the U.S. Department of Edu- 
cation and a member of the President’s Council on Integrity and 
Efficiency. 

Mr. Jeff Steinhoff, Managing Director of Financial Management 
and Assurance at the U.S. Government Accountability Office, also 
joins these administration witnesses. We are grateful for your ap- 
pearance here today and know you’ve done a lot of legwork leading 
up to this hearing and look forward to hearing your testimonies as 
well. 

I would now like to recognize our ranking member, the gen- 
tleman from New York, Mr. Towns, for the purpose of an opening 
statement. 

Mr. Towns. Thank you very much, Mr. Chairman. Let me thank 
you for holding this hearing on OMB’s recent amendments to its 
guidance on agency internal controls. 

Following last week’s insightful hearing on the state of our Gov- 
ernment’s financial position, I believe it is timely for our sub- 
committee to address the issue of internal controls as they relate 
to improving efficiency and accountability throughout the Federal 
Government. The need for adequate internal controls in governing 
the financial and operational components of our agencies has never 
been greater as the burden of both Federal budget deficits and im- 
proper payments diminish the success of many programs. Such con- 
cepts are not foreign to us, as recent private sector accounting 
scandals have forced Congress to reexamine issues of accountability 
and transparency in the name of protecting consumers and inves- 
tors. 

From this perspective, it is only logical to pursue policies that 
make the Federal Government more accountable to Congress and 
taxpayers, just as the private sector must be more accountable to 
its shareholders and consumers. Today we are reviewing what ap- 
pears to be the first step in the process as we hear from our panel 



3 


about recent amendments made to Circular A-123. In conformity 
with the Federal Managers Financial Integrity Act, the new guide- 
lines bring clarity to areas of confusion in defining what are effec- 
tive management practices for assessing internal controls for all 
agencies. This will ensure uniformity throughout agencies as they 
seek to establish an internal control structure that adequately 
meets appropriate levels of risk and program complexity. 

In addition, the changes spell out requirements for agencies to 
report on and address deficiencies in their internal control struc- 
ture. This is an improvement over previous practices, and will 
allow 0MB to require an external opinion on agency internal con- 
trols when warranted. Our committee is well familiar with this 
practice, thanks to legislation enacted last session that was au- 
thored by the chairman of the subcommittee, my good friend. Con- 
gressman Platts from Pennsylvania, which required an independ- 
ent review for internal control practices at the Department of 
Homeland Security. 

With many agencies now in the process of implementing new fi- 
nancial management systems, I believe these requirements are 
timely and necessary. As I have said before, our failure to ade- 
quately implement appropriate business practices will have an ad- 
verse impact on operations for programs that so many of my con- 
stituents depend on for their well-being. Hopefully, the aforemen- 
tioned changes will ensure that all of our agency programs will be 
efficient and effective. 

Thanks again, Mr. Chairman, for holding this hearing, and on 
that note, I yield back. 

Mr. Platts. Thank you, Mr. Towns. 

We will proceed to our testimonies. If we could ask all of our wit- 
nesses to stand and take the oath. Any individuals who will be ad- 
vising you as part of your testimony today should also stand and 
raise their right hand as well. 

[Witnesses sworn.] 

Mr. Platts. Thank you. Please be seated. The clerk will note 
that all witnesses affirmed the oath. Again, we appreciate the writ- 
ten testimony you have submitted. As I say to my kids, it is my 
homework that I bring home with me in my daily commute, and 
it allows me to be better prepared for our good dialog here today. 

With your oral testimonies here today, if we can try to stay 
roughly in that 8 minute range in summarizing your written state- 
ments as best you see fit to do, then we will get into questions. Sec- 
retary Wolff, we are going to begin with you, please. 



4 


STATEMENTS OF OTTO J. WOLFF, CHIEF FINANCIAL OFFICER 
AND ASSISTANT SECRETARY FOR ADMINISTRATION, U.S. DE- 
PARTMENT OF COMMERCE; CHRISTOP H ER B. BURNHAM, 
ACTING UNDER SECRETARY FOR MANAGEMENT, ASSISTANT 
SECRETARY FOR RESOURCE MANAGEMENT AND CHIEF FI- 
NANCIAL OFFICER, U.S. DEPARTMENT OF STATE; JOHN P. 
HIGGINS, JR., INSPECTOR GENERAL, U.S. DEPARTMENT OF 
EDUCATION; AND JEFFREY C. STEINHOFF, MANAGING DI- 
RECTOR OF FINANCIAL MANAGEMENT AND ASSURANCE, 
U.S. GOVERNMENT ACCOUNTABILITY OFFICE 

STATEMENT OF OTTO J. WOLFF 

Mr. Wolff. Mr. Chairman, Mr. Towns, thank you for the oppor- 
tunity to appear before you today to discuss how my colleagues in 
the Federal financial management and audit communities have 
come together in concert with the Office of Management and Budg- 
et to strengthen the internal control requirements over financial re- 
porting within the Federal Government. 

As a result of our efforts, we have substantially improved the ac- 
countability and oversight of internal controls in all the Federal de- 
partments and agencies. These changes were the result of the ad- 
ministration taking a proactive and collaborative approach to im- 
proving financial management in the Federal Government and a 
direct result of President Bush’s insistence on accountability at all 
levels of this administration. They are embodied in the revised 
0MB Circular A-123, Management’s Responsibility for Internal 
Controls, which was signed in December by 0MB Director Bolten. 
The revised circular will help managers assure proper controls are 
in place, documented and tested. 

These changes will also strengthen the existing internal control 
assessment process in a cost effective manner. Additionally, these 
improvements will further support the goals of the President’s 
management agenda by promoting a foundation of good controls 
from which timely and reliable financial information can be devel- 
oped. 

We are all too aware of highly publicized corporate failures and 
accounting scandals in recent years which reveal the lack of ac- 
countability and proper controls over financial reporting in publicly 
held companies, prompting the passage of the Sarbanes-Oxley Act 
of 2002. This legislation included for the first time ever the require- 
ment that publicly held firms undertake significant efforts to pro- 
vide assurance on the effectiveness of their financial reporting proc- 
esses and to obtain audit opinion on internal controls, in addition 
to the traditional financial statement audits. 

With the passage of Sarbanes-Oxley and the Department of 
Homeland Security Financial Accountability Act of 2004, the execu- 
tive branch took the opportunity of reexamining our A-123 require- 
ments. Linda Springer, back in November 2003, initiated a joint 
committee of both the CFOs and the IG community, the PCIE, to 
survey Federal agencies and identify differences in how current re- 
quirements are being implemented, to review requirements of pub- 
licly traded companies as laid out by Sarbanes-Oxley and to report 
on how these requirements may or may not apply to the Federal 
Government. The joint committee first examined the fundamental 



5 


differences between the public and private sectors. Federal entities 
operate in environments steeped in regulation, policies and proce- 
dures intended to ensure that all fiscal and budgetary actions are 
legal and comply with regulation and standard accounting practice. 

Because the goals and motivation of Federal entities differ fun- 
damentally from our private sector counterparts, they are much 
less vulnerable to the risk of manipulation of financial reporting to 
achieve personal gain. Also, the actions of Federal entities are open 
to public scrutiny and subject to multiple levels of oversight by the 
Congress, 0MB, the Government Accountability Office and the 
independent inspectors general. 

Unlike the private sector, the actions of the Federal entities are 
subject to a myriad of laws and regulations designed specifically to 
promote prudence and accountability. The list is long, the FMFIA, 
the FISMA, the Inspector General Act, the Chief Financial Officers 
Act, the Government Management Reform Act, the FFMIA, Im- 
proper Payments Act and others. 

At the center of these requirements is the FMFIA, which estab- 
lishes the overall internal control requirements. The act encom- 
passes controls and programs, operational and administrative areas 
and accounting and financial management. It also requires the 
agency head to evaluate and report on the controls and financial 
systems that protect the integrity of Federal programs. 

The joint committee reviewed the existing internal control re- 
quirements in A-123, and recommended 0MB strengthen its guid- 
ance for assessing the effectiveness of internal controls. We devel- 
oped a revised A-123, which would adopt the standards of the in- 
ternal controls commonly used by private sector and developed by 
the COSO and published in its document. These standards were 
adopted previously by the GAO in its Green Book. Key points of 
definition of the financial audit were included in its amendments. 
As you can see, we did not reinvent the wheel amending A-123, we 
adopted private sector standards that were tailored to be more spe- 
cific and responsive to the Federal environment. 

The most significant change to Circular A-123 is the require- 
ment for agency management to follow a more comprehensive and 
coordinated approach when assessing the effectiveness of internal 
control over financial reporting, and to document its assessment. 
Management must identify tests of documents and internal control 
effectiveness. A-123 defines the scope of reporting to include finan- 
cial statements, significant other financial reports and compliance 
with laws and regulations that pertain to financial reporting. 

The outcome of the assessment process requires a separate as- 
surance statement from management to be included in the agency’s 
performance and accountability report on the effectiveness of inter- 
nal controls and financial reporting. The circular also provides for 
0MB to require an agency to have an internal control opinion level 
audit if that agency fails to meet expectations regarding correction 
of its internal control deficiencies. 

The CFO Council plans to develop an implementation guide for 
A-123 which will complement the policy document and provide a 
more hands-on approach to the assessment of internal controls. 
And we will be sponsoring training for our Federal agencies to 
meet the new requirements. 



6 


In addition, the internal control improvements are being tracked 
through the quarterly scorecard process for improved financial per- 
formance initiative of the President’s management agenda. This 
initiative emphasizes the need for effective internal control and 
getting to a green score on the score card requires that agencies 
eliminate all material control weaknesses. Ultimately, the goal is 
to assure managers are making more timely and informed deci- 
sions on operations and costs at both program and agency levels. 

Yet this objective cannot be achieved without a foundation of ef- 
fective internal controls from which financial information can rou- 
tinely be generated and used for management decisions. I am 
pleased to report that Commerce just attained green status for im- 
proved financial performance in the first quarter of the current fis- 
cal year. We are proud of our success and that of our seven other 
sister agencies who have also achieved green status. 

The efforts involved at Cabinet level agencies to overcome obsta- 
cles to obtain clean audit opinions, to integrate financial manage- 
ment systems, and to eliminate material weaknesses cannot be 
overstated. With a higher bar now set by A-123 we realize that the 
implementation will require a serious and focused effort. 

As part of the joint committee’s review, agencies were polled to 
better understand the costs associated with conducting internal 
control assessments and audits. Unfortunately, the majority of 
agencies did not have sufficient experience with the process envi- 
sioned in the revised A-123 to be able to estimate the costs with 
any degree of certainty. Other agencies who have been performing 
the internal controls work for so long lacked solid data on costs be- 
cause it is hard to identify separately. We will continue to work 
with the agencies to identify more specific cost data and we will let 
you know. 

In closing, I would like to acknowledge the excellent collaboration 
and support in addressing this issue on the part of the PCIE, 0MB 
and the whole CFO community. We received helpful suggestions as 
well, sir, from your committee staff and the GAO in our discussions 
with them. The approach presented here should be a model for how 
we can work together to ensure that Federal programs operate ef- 
fectively and efficiently as possible. It is incumbent upon all of us 
to keep the Federal financial community focused on its stewardship 
responsibility. 

Thank you again, Mr. Chairman, for the opportunity to appear 
before you today. I would of course be happy to answer any ques- 
tions you may have. 

[The prepared statement of Mr. Wolff follows:] 



7 


Testimony of 

The Honorable Otto Wolff 
Chief Financial Officer, Department of Commerce 
Before the 

Subcommittee on Government Management, Finance and Accountability 
Committee on Government Reform 
United States House of Representatives 

February 16, 2005 


The Effectiveness of Internal Control 
Thank you, Mr. Chairman and members of the Subcommittee. 

I am pleased to appear before you today to discuss how my colleagues in the federal financial 
management and audit communities have come together in concert with the Office of 
Management and Budget (0MB) to strengthen the internal control requirements over financial 
reporting within the Federal Government. As a result of this effort, we have substantially 
improved the accountability and oversight of internal controls of federal departments and 
agencies. 

These changes were the result of the Administration taking a proactive and collaborative 
approach to improving financial management in the federal government. They are embodied 
in the revised OMB Circular A-123: Management's Responsibility for Internal Control (A- 
123), which was signed in December by OMB Director Bolten. The revised Circular A-123 
will help federal managers ensure proper controls are in place, documented, and tested. These 
changes will also strengthen the existing internal control assessment process, in a cost- 
effective manner. Additionally, these improvements will further support the goals of the 
President’s Management Agenda by promoting a foundation of good controls from which 
timely and reliable financial information can be developed. 

Collaborative and Coordinated Approach 

As we are all too aware, highly publicized corporate failures and accounting scandals in 
recent years revealed a lack of accountability and proper controls over financial reporting 
publicly-held companies, prompting the passage of the Sarbanes-Oxley Act of 2002 
(Sarbanes-Oxley Act). This legislation included the first ever requirement that publicly-held 
firms undertake significant efforts to provide assurance on the effectiveness of their financial 
reporting process, as well as obtain an audit opinion on internal control in addition to the 
traditional financial statement audit. With the passage of the Sarbanes-Oxley Act and the 
Department of Homeland Security Financial Accountability Act of 2004, the Executive 
Branch took the opportunity to re-examine the internal control requirements within the 
Federal Government. 



8 


In November 2003, former OMB Controller Linda Springer initiated a joint committee of the 
Chief Financial Officers’ Council (CFOC) and the President’s Committee on Integrity and 
Efficiency (PCIE). This Joint committee was tasked with surveying federal agencies to 
identify differences in how current requirements are being implemented, reviewing the 
requirements of publicly-traded companies as laid out in the Sarbanes-Oxley Act, and 
reporting how those requirements may, or may not, apply to the Federal Government. 

The joint committee first examined the fundamental differences between the public and 
private sectors. Federal entities operate in an environment steeped in regulations, policies, 
and procedures intended to ensure that all fiscal and budgetary actions are legal. Because the 
goals and motivation of federal entities differ fundamentally from the private sector, they are 
much less vulnerable to the risk of manipulating financial reporting to achieve personal gain. 
Also, the actions of federal entities are open to public scrutiny and subject to multiple levels 
of oversight, including Congress, OMB, the Government Accountability Office, (GAO), and 
independent Inspectors General (IG). 

Unlike the private sector, the actions of federal entities are subject to a myriad of laws and 
regulations designed to promote prudence and accountability. Examples of legislative 
requirements that support effective internal control include: 

• the Federal Managers’ Financial Integrity Act (FMFIA); 

• the Federal Information Security Management Act (FISMA); 

• the Inspector General Act; 

• the Chief Financial Officers Act; 

• the Government Management Reform Act; 

• the Federal Financial Management Improvement Act; and 

• the Improper Payments Information Act. 

At the center of these requirements is the FMFIA which establishes overall internal control 
requirements. This Act encompasses controls in programs, operational and administrative 
areas, as well as accounting and financial management. It also requires the agency head to 
evaluate and report on the controls and financial systems that protect the integrity of federal 
programs. 

Other regulatory requirements also exist to support effective internal control. For example, 
OMB Bulletin No. 01-02, Audit Requirements for Federal Financial Statements, requires 
auditors of federal financial statements to test and report on agencies’ internal controls over 
financial reporting in connection with the audit of the financial statements. Auditors must 
report internal control material weaknesses and reportable conditions as part of the annual 
financial audit process. These auditor-identified material weaknesses are reported annually to 
the President and Congress in each agency’s Performance and Accountability Report (PAR). 

After the joint CFOC/PCIE committee reviewed the existing federal internal control 
requirements in OMB Circular A-123. It then recommended that OMB strengthen this 
guidance for assessing the effectiveness of internal control. The committee developed 
amendments to Circular A-123 that would adopt the standards of internal control commonly 


2 



9 


used by the private sector and developed by the Committee of Sponsoring Organizations of 
the Treadway Commission (COSO) and published in its Internal Control - Integrated 
Framework document. These standards were adopted previously by the GAO in its Standards 
for Internal Control in the Federal Government (commonly known as the GAO Green Book). 
Key points and definitions from the GAO/PCIE Financial Audit Manual were also included in 
the amendments. As you see, we did not reinvent the wheel in amending A-123, we adopted 
private-sector standards that were tailored to be more specific and more responsive to the 
government environment. 

Revised 0MB Circular A-123 

The most significant change to Circular A-123 is the requirement for agency management to 
follow a more comprehensive and coordinated approach when assessing the effectiveness of 
internal control over financial reporting and to document its assessment. Management must 
identify, test and document internal control effectiveness over financial reporting. Circular A- 
123 defines the scope of financial reporting to include financial statements, significant other 
financial reports and compliance with the laws and regulations that pertain to financial 
reporting. The outcome of the assessment process is a new separate assurance statement from 
management to be included in agency PARs on the effectiveness of the internal control over 
financial reporting. 

Circular A-123 also includes a provision to permit OMB to require a separate audit of internal 
control under certain circumstances. Thus, if an agency fails to meet its deadlines outlined in 
its corrective action plan to resolve material weaknesses, OMB may direct a separate audit of 
internal control to better focus management's internal control improvement plans. This 
approach is a cost-effective way to implement a separate audit requirement. 

The amendments to Circular A-123 are effective beginning in FY 2006. This fiscal year, 
federal agencies will be taking steps to prepare for its implementation. Here at Commerce, 
we have already begun to develop a plan that will identify the financial reporting scope, risk 
factors to assess, materiality levels, key controls, documentation requirements, and testing 
strategy. We will work in consultation with our Office of Inspector General to ensure 
effective implementation. The actual testing of controls is scheduled to begin in the second 
quarter of fiscal year 2006. We will then be in position to prepare our first management 
assurance statement for internal control over financial reporting as of June 30, 2006, to be 
included in our Performance and Accountability Report due November 2006. 

In addition, the CFO Council plans to develop an implementation guide for A-123, which will 
complement the policy document and provide a more hands-on approach to the assessment 
process of internal controls over financial reporting. The CFO Council will also sponsor 
training to assist federal agencies in meeting the new requirements. 

Related Initiatives 

In addition to the separate assurance statement in agency PARs, internal control 
improvements are also being tracked through the quarterly scorecard process of the Improved 


3 



10 


Financial Performance initiative of the President’s Management Agenda (PMA), The 
Improved Financial Performance initiative emphasizes the need for effective internal control, 
and getting to a “green” score on the scoreeard requires agencies to eliminate all material 
internal control weaknesses. Ultimately, the goal is to ensure managers are making more 
timely and informed decisions on operations and costs at both the program and agency-wide 
levels. Yet, this objective cannot be achieved without a foundation of effective internal 
control from which reliable financial information can be routinely generated and used to 
support management decisions. 

I am pleased to report that Commerce recently attained “green” status in the Improved 
Financial Performance PMA initiative in the first quarter of fiscal year 2005. We are proud of 
our success, and that of the seven other CFO Act agencies that have also achieved that status. 
The efforts involved at a cabinet-level agency to overcome obstacles to obtain a clean audit 
opinion, integrate financial management systems, and eliminate material weaknesses cannot 
be overstated. With a higher bar now set out by Circular A-123, we realize that its 
implementation will require a serious and focused effort. 

It should also be noted that the accelerated federal financial reporting requirement has also 
served as a significant motivating factor for improved internal controls. Agencies have had to 
strengthen their controls over financial reporting in order to meet the current accelerated due 
dates for financial statement preparation and audit from five months after the end of the fiscal 
year (as it was only a few years ago) to 45 days after the fiscal year (as it was for FY 2004). 
Because they are no longer able to rely on workarounds, or “compensating controls,” agency 
CFO teams have invested additional resources in CFO operations and have reviewed their 
accounting systems and processes from a fresh perspective in preparing to meet the 
accelerated reporting requirement. New approaches to compiling accounting information, 
closing the books, and assembling financial statements and PARs have been implemented in 
order to meet the aggressive deadlines. 

Cost Analysis 

As part of the joint committee’s review, agencies were polled to better understand the costs 
associated with conducting internal control assessments and audits. Unfortunately, the 
majority of agencies did not have sufficient experience with the process envisioned in 
Circular A-123 to be able to estimate the costs with any degree of certainty. Other agencies 
have been performing the internal controls work for so long that solid data on costs is likewise 
hard to separately identify. We will continue to work with agencies to identify more specific 
cost data. Likewise, additional cost data should soon be available from the private sector 
relating to implementing the Sarbanes-Oxley Act requirements. 

Conclusion 

In closing, 1 would like to acknowledge the excellent collaboration and support in addressing 
this issue on the part of the PCIE and OMB, working with the CFO community. In addition, 
we received helpful suggestions from your subcommittee staff and GAO in our discussions 
with them. The approach presented here should be a model for how we can work together to 


4 



11 


ensure that federal programs operate as effectively and efficiently as possible. It is incumbent 
on us all to keep the federal financial community focused on this stewardship responsibility. 

Mr. Chairman, thank you again for this opportunity to speak to you today. 1 would be happy 
to entertain any questions you or the members of the subcommittee may have. 


5 



12 


Mr. Platts. Thank you, Secretary Wolff. 

Secretary Burnham. 

STATEMENT OF CHRISTOP H ER B. BURNHAM 

Mr. Burnham. Mr. Chairman, thank you very much, Mr. Towns. 
It’s called editing on the go here, so we don’t repeat too much. 

I would request on behalf of all of us that our full written state- 
ments might appear in the record, Mr. Chairman. 

Mr. Platts. Without objection. 

Mr. Burnham. Thank you. 

It is a great honor and opportunity to be here. This is a terribly 
important event. Although it is not always looked upon as the sexi- 
est thing within our agencies, particularly at the State Depart- 
ment, nevertheless it is a terribly important aspect of how we run 
and conduct ourselves as stewards of the public trust. 

I am here today not only as Chief Financial Officer of the State 
Department, but also as a member of the CFO Council. The CFO 
Council and Department of State fully support the revisions to Cir- 
cular A-123. We commend this subcommittee for its efforts to pro- 
mote and strengthen internal controls. 

Sarbanes-Oxley was a necessary reaction to the heinous abuses 
of certain members of the corporate community and the need to re- 
store broad investor confidence. No less important is the need to 
build taxpayer confidence in how their money is spent in Washing- 
ton. The President’s management agenda is the premier effort to 
accomplish this. Circular A-123 is and will be an essential part of 
that effort. 

Under the direction of 0MB in 2003 the CFO Council and the 
PCIE formed a joint committee, as my colleague Otto Wolff has 
said. The recommendations resulting from this joint effort formed 
the basis of the policy changes that we have seen today in A-123. 
The CFO Council also plans to work to develop an implementation 
and training guide, as my colleague also mentioned. 

Mr. Chairman, I believe this Joint committee effort between the 
PCIE and the CEO Council is an excellent example of how both 
these communities, as well as the IG community, have worked to- 
gether to advance the public good. We are grateful to our col- 
leagues in the IG community for their professionalism and their 
dedication and their help in this effort. 

Eor all Eederal agencies implementing the revised Circular, it 
provides a valuable opportunity to reassess the effectiveness of our 
overall internal control structure. The level of effort required de- 
pends on, in large part, the degree to which an agency fully imple- 
ments the previous version of Circular A-123, which was written 
in 1995. Today the implementation of EMEIA varies amongst Eed- 
eral agencies. Some have rigorous EMEIA programs that allow 
their agency heads to provide unqualified annual assurances about 
their controls, while others do not. These mixed results will directly 
impact the level of effort and resources required to successfully im- 
plement the overall internal control requirements of the revised 
Circular across the Eederal Government. 

Some agencies, such as the State Department, will only need to 
modify slightly their existing management control programs. Oth- 
ers will need to overhaul their programs, particularly in the docu- 



13 


ment and management control area. It is too soon to reasonably de- 
termine the impact across the agencies of implementing Appendix 
A. Since the requirement of Appendix A is more rigorous and pre- 
scriptive than the preexisting requirements, it is uncertain how 
many agencies would meet the new requirement today. 

Most agencies, including mine, will need to expand documenta- 
tion and enhance assessments of internal controls over financial re- 
porting. While we can and will learn from the private sector experi- 
ence implementing Section 404 of Sarbanes-Oxley, it will take addi- 
tional time to understand the impact of implementing Appendix A 
in the Federal agencies. 

If I can, Mr. Chairman, let me just highlight a few things that 
State has done as an example of what you have in the executive 
branch and how we are dedicated to meeting these goals. Over the 
last 4 years, we are down from 10 weaknesses to zero. This gave 
the Secretary, in this case Secretary Powell 2 years ago, the first 
opportunity to issue a clean assurance statement. 

The President’s management agenda score card, something we 
all now live and perhaps die by, were double green, in both im- 
proved financial management as well as budget and performance 
integration. The President’s quality award, the Malcolm Baldridge 
Award of Government, and I might also add, a fine Connecticut 
resident, the State Department won this year, one of seven agen- 
cies to win, recognizing our efforts to integrate the performance as- 
sessment rating to the PART system that 0MB runs. 

As many agencies did, we were able to meet the accelerated re- 
porting timeframe that 0MB mandated of November 15th. This 
has led to huge reforms within the CFO community and has helped 
us and will continue to help us not only to get to green but also 
to meet the particulars of Circular A-123. 

We have a clean, timely financial opinion for the 8th year in a 
row, Mr. Chairman. And finally, our annual report, our perform- 
ance and accountability report, has won the CEAR award, the Cer- 
tificate of Excellence in Accountability Reporting for 4 years in a 
row. I might also add that compared with financial reports, annual 
reports in the private sector, 2 years ago we were fourth in the Na- 
tion, and this last year we were first in all of Government. 

None of the successes would have been possible without a sound 
management control structure that permeates our entire organiza- 
tion. That starts from the top down. I met with Secretary Rice this 
morning. She emphasized again her support of this effort and the 
effort of what you’re trying to lead, Mr. Chairman. We stand fully 
behind this effort and ready to implement in any way necessary, 
as I might add, does the CFO community. 

With that sir, I will be happy to answer any questions from you 
or of the committee. 

[The prepared statement of Mr. Burnham follows:] 



14 


Statement of The Honorable Christopher B. Burnham 
Acting Under Secretary for Management, 
Assistant Secretary for Resource Management 
and 

Chief Financial Officer 
United States Department of State 

Before the 

Subcommittee on Government Management, Finance and 
Accountability 

Committee on Government Reform 
United States House of Representatives 

February 16, 2005 

“Changes to OMB Circular A-123, 
Management’s Responsibility for Internal Control” 


Thank you, Mr. Chairman, for the opportunity to appear before the 
Subcommittee today to discuss recent changes to the Office of Management 
and Budget’s (OMB) Circular A-123, Management’s Responsibility for 
Internal Control. I am providing my views on this subject from my 
perspective as both a member of the Chief Financial Officers’ (CFO) 
Council and as the CFO of the United States Department of State. The CFO 
Council and Department of State fully support the revised Circular and 
commend this Subcommittee for its efforts to promote and strengthen 
internal control throughout the Federal Government in a thoughtful and 
progressive manner. We also applaud the work of the Office of 
Management and Budget (OMB) and the President’s Council on Integrity 
and Efficiency (PCIE) to recognize and build upon the existing Federal 
internal control framework in an effort to strengthen and improve such 
controls through the revised Circular A-123. 

Some of the nation’s most dramatic business failures - notably Enron and 
WorldCom — occurred in the early 2000’s. These failures resulted in the 
passage of the Sarbanes-Oxley Act of 2002, which has led to sweeping 
changes in corporate accountability and the auditing profession. 

In light of these developments and recent legislation requiring the 
Department of Homeland Security to adopt practices similar to those 



15 


imposed under the Sarbanes-Oxley Act, a reassessment of the existing 
internal control requirements for Federal agencies was begun in 2003. 
Fortunately, we have a solid foundation for internal control in the Federal 
Government resulting principally from the implementation of the Federal 
Managers’ Financial Integrity Act (FMFIA) over the past two decades. It is 
against this contextual backdrop that the recent revisions to 0MB Circular 
A- 123 were developed. 

Revisions to OMB Circular A-123 


The Federal Government often lags behind the private sector in many areas 
but not when it comes to internal control. In large part due to FMFIA, the 
Federal Government has been required for more than two decades to 
establish and maintain an internal control structure that not only covers 
financial reporting but also spans across the full range of a Federal agency’s 
programs and activities. FMFIA also requires that the head of the agency, 
based on an evaluation, provide an annual statement of assurance to the 
President and Congress on whether the agency has met this requirement. 

Background 

OMB Circular A-123 was first issued in the 1980’s to provide guidance to 
Executive departments and agencies on implementing the FMFIA. Several 
revisions have been made to the Circular since the early 1980’s to reflect the 
evolving nature and our improved understanding of internal controls during 
this time period. In the last two decades, much has been learned about the 
critical role internal controls play in organizations of any size. 

Since the early 1980’s, certain basic internal control tenets have evolved. 
What’s clear now is that every entity - regardless of its purpose, size, form 
of ownership, or organizational structure - must have effective internal 
controls to carry out its mission. The responsibility for establishing and 
maintaining those controls rests squarely on the shoulders of management. 
To advance a common understanding of internal control, a conceptual 
framework, consistent definitions and terminology, and criteria for 
evaluating controls is needed to focus the efforts of internal control 
stakeholders such as entity managers, auditors, legislators, regulators, 
citizens, and academics. Internal control must be established, documented, 
evaluated, and monitored in every entity. 


2 



16 


The Commission of Sponsoring Organizations of the Treadway Commission 
(COSO) is a leader in researching, developing, and promoting sound internal 
controls. COSO is an independent private sector initiative that studies the 
causes of fraudulent financial reporting and provides recommendations for 
preventing such occurrences by improving business ethics, internal controls, 
and corporate governance. In 1992, COSO published an integrated 
framework for internal control that is widely accepted and adopted 
throughout the private and public sectors today. This framework provides a 
conceptually sound and practical approach to establishing and evaluating 
internal controls. 

Joint CFO Council and PCIE Efforts 

Under the direction of 0MB, in 2003 the CFO Council and PCIE formed a 
joint committee to evaluate the adequacy of internal control requirements in 
the Federal Government. This joint committee, comprised of representatives 
from the CFO and Inspector General (IG) communities, was tasked with 
reviewing the new internal control assurance requirements applicable to the 
private sector for their relevance to Federal agencies and developing new 
policies for internal control in the Federal Government, as considered 
necessary. The recommendations resulting from the joint committee’s work 
formed the basis for the policy changes imbedded in the revised Circular A- 
123. The CFO Council also plans to work with 0MB to develop an 
implementation guide and training for Federal agencies. 

Mr. Chairman, I believe that this joint committee is an excellent example of 
how the CFO and IG communities can work together in a collaborative, 
professional manner to advance the public good. This model has been used 
successfully to facilitate the implementation of other important initiatives 
such as the Improper Payments Information Act of 2002. We are grateful to 
our colleagues in the IG community for the professional competence, 
technical skills, and business acumen they bring to bear on assessing internal 
control policies in the Federal environment. We look forward to working 
with them as we address the many challenges ahead. 

Key Provisions of the Revised Circular A-123 

The revised Circular reaffirms management’s responsibility for internal 
control in Federal programs and operations, and provides explicit guidance 
for management to use in carrying out its charge to establish, assess, 


3 



17 


strengthen, and report on internal control. The revised Circular calls for 
Federal agencies to deploy systematic and proactive measures to: 

• Develop and implement appropriate, cost-effective internal control for 
results-oriented management; 

• Assess the adequacy of internal control in Federal programs and 
operations; 

• Separately assess and document internal control over financial reporting; 

• Identify needed improvements; 

• Take corresponding corrective action; and 

• Report annually on internal control through management assurance 
statements included in the PAR. 

The revised Circular builds off of the fundamental principles underlying its 
predecessor (i.e.. Circular A-123, revised June 21, 1995) to advance internal 
control to a new level within the Federal Government. In addition to 
providing more comprehensive and detailed internal control guidance to 
Federal managers, the revised Circular also includes the following 
significant changes. 

• Strengthens the Requirements for Assessing the Effectiveness of 
Internal Control over Financial Reporting - This area is viewed by 
many in the Federal financial management community as the most 
significant change imposed by the revised Circular. Appendix A of the 
Circular provides new specific requirements for conducting and 
documenting management’s assessment of the effectiveness of internal 
control over financial reporting, including a separate annual assurance on 
internal control over financial reporting. These new requirements are 
similar to those imposed by the Sarbanes-Oxley Act for the management 
of publicly-traded entities to assess, document, and report on the 
effectiveness of internal control over financial reporting. 

• Integrates Agency Internal Control Activities - The revised Circular 
emphasizes the need for agencies to consider, coordinate, and integrate 
other internal activities - many of which are required by statute — that 
contribute to internal control. For instance, the Improper Payments 
Information Act of 2002 requires agencies to determine which Federal 
programs are susceptible to improper payments, test high-risk programs, 
report the results in agency PARs, and determine the underlying cause for 


4 



18 


improper payments. This process will contribute to and strengthen an 
agency’s internal control infrastructure. The revised Circular A- 123 
serves as the internal control umbrella under which other agency 
activities should be integrated to support management’s assertion about 
the effectiveness of internal control more broadly. 

• Incorporates COSO Framework - The revised Circular reflects 
currently accepted standards, objectives, and terminology for internal 
control based on the COSO framework and its five interrelated 
components: control environment, risk assessment, control activities, 
information and communication, and monitoring. 

• Encourages Use of Senior Management Councils and Senior 
Assessment Teams - The Circular recognizes the important role of 
senior management councils in Federal agencies to oversee the internal 
control program throughout the entity. The Circular also recommends 
the use of senior assessment teams, as a subset of the senior management 
council, to drive management’s assessment of internal control over 
financial reporting. 

• Creates Reportable Condition Category under FMFIA - The revised 
Circular defines control deficiencies and introduces the concept of 
reportable conditions under FMFIA reporting. This category is important 
because it must be tracked and monitored internally, which will help to 
resolve reportable conditions before they become material weaknesses. 

• Authorizes OMB to Require an Audit Opinion Selectively - While a 
separate audit opinion on internal control over financial reporting is not 
required by the Circular, OMB may, at its discretion, require an agency 
to obtain such an opinion. This provision would be used in situations 
where an agency continuously falls behind in correcting its deficiencies. 

• Requires Service Organizations to Provide Assurances - The revised 
Circular calls for management of cross-servicing agencies to provide an 
annual assurance statement, based on testing, to their customer agencies. 

The CFO Council fully supports the changes to Circular A- 123. Each of the 

significant changes makes sense in the Federal environment and should lead 


5 



19 


to greater accountability for Federal programs and operations, including 
financial reporting. 

Impact of Revised Circular on Federal Financial Management 

Internal control is central to fulfilling our responsibility for accountability 
over taxpayer funds. We have recently witnessed in the private sector the 
catastrophic results that failures in internal control can trigger. 

Unfortunately, internal control is far from the most exciting subject to 
debate, and it usually takes a high-profile breakdown in controls for people 
to even notice them. Also, because internal controls focus on prevention, it 
is often very difficult to quantify the impact of improved controls. For 
instance, how do you measure the impact of fraud that was prevented, or the 
increase in public confidence that results from stronger control? 

Despite these difficulties, the current increased attention on internal control 
is well-placed. After two decades of implementing FMFIA, we understand 
what our counterparts in the private sector now appreciate - that internal 
control is integral to every part of an organization’s infrastructure rather than 
an isolated management tool. In the end, stronger controls yield beneficial 
dividends - even though they are difficult to measure. 

For all Federal agencies, implementing the revised Circular provides a 
valuable opportunity to reassess the effectiveness of their overall internal 
control structure. The level of effort required depends in large part on the 
degree to which an agency fully implemented the previous version of 
Circular A-123, dated June 21, 1995. Today, the implementation of FMFIA 
varies among Federal agencies - some have rigorous FMFIA programs that 
allow their agency heads to provide ’’unqualified” aimual assurances about 
their controls while others do not. These mixed results, will directly impact 
the level of effort and resources required to successfully implement the 
overall internal control requirements of the revised Circular across Federal 
agencies. Some agencies such as the State Department will only need to 
modify slightly their existing management control programs. Others may 
need to overhaul and document their management controls. It is interesting 
to note that with respect to an entity’s overall internal control structure 
(formerly known as “management controls”), the Federal Government’s pre- 
existing requirement for annual assurance statements by agency heads 
exceeds management’s requirements for publicly-traded companies under 
the Sarbanes-Oxley Act. 


6 



20 


It is too soon to reasonably determine the impact across agencies of 
implementing Appendix A of the revised Circular, which imposes new 
specific requirements for conducting management’s assessment of the 
effectiveness of internal control over financial reporting. Arguably, Federal 
agencies should have been documenting and assessing internal controls over 
financial reporting as part of FMFIA. However, since the requirements of 
Appendix A are more rigorous and prescriptive than the pre-existing 
requirements, it is unlikely that many Federal agencies would meet these 
new requirements today. Most agencies will need to expand documentation 
and enhance assessments of internal control over financial reporting. While 
we can and will learn from the private sector experience implementing 
similar requirements under the Sarbanes-Oxley Act, it will take additional 
time to understand the incremental impact of implementing Appendix A in 
Federal agencies. 

Importance of Controls at Department of State 

At the Department of State, we take our statutory responsibility under 
FMFIA very seriously. We have developed a robust management control 
structure that has been recognized as a best practice by 0MB and enabled 
the Secretary of State to provide an unqualified (or “clean”) assurance 
statement for 2003 and 2004. As a result, we are now well-positioned to 
implement the revised Circular A- 123 - not just the letter of the revised 
Circular but also the spirit and intent of this Administration to strengthen 
stewardship over taxpayer funds that underpin the revised Circular. 

A strong management control structure is essential for an organization such 
as the State Department, which functions in an extremely challenging and 
complex environment. The Department operates about 260 embassies and 
consulates located in more than 170 countries throughout the world as well 
as our domestic operations. We conduct business transactions in over 1 50 
currencies and even more languages and cultures. We provide the 
administrative operating platform for about 45 other U.S. Government 
organizations overseas and pay 64,000 persons each pay period on behalf of 
the Department and other serviced agencies. In short, no corporation or 
other Federal agency has the depth and variety of challenges faced daily by 
our team in support of the Department’s mission to create a more secure, 
democratic, and prosperous world for the benefit of the American people 
and international community. 


7 



21 


While we have a proud tradition of embracing both the concepts and 
practical application of controls throughout the State Department, we 
welcome the opportunity to strengthen them further as called for under the 
revised Circular. We recognize that robust controls are essential to 
managing our day-to-day activities and programs and they position us to 
face with confidence the many challenges that lay ahead as we carry out the 
Department’s foreign policy mission. 

Strong Controls Contribute to Our Success 

The Department’s management control program provides a solid foundation 
for moving beyond mere compliance with laws and regulations towards 
achieving world-class excellence in managing Federal programs and 
operations. Our sustained focus over the years on strengthening 
management control has served as a catalyst for positive change within the 
Department, resulting in the reduction of FMFIA material weaknesses from 
10 in FY 1999 to zero by the end of FY 2002. In addition, for the first time 
in 2003, and again in 2004, the Department’s independent auditors reported 
no material weaknesses in internal control. Our rigorous management 
control program has also led the way for the following significant 
accomplishments; 

• President’s Management Agenda Scorecard - In January 2005, 0MB 
identified State, along with three other Federal agencies (Energy, Labor, 
and the Social Security Administration), as the most successful at 
implementing the management disciplines that underpin the President's 
Management Agenda (PM A). The Department has “double greens” for 
status and progress in implementing the PMA in the following areas: 
human capital, financial performance, E-Gov, and budget and 
performance integration. 

• President’s Quality Award - In December 2004, the Department 
received the Ihesident's Quality Award for its innovation in integrating 
OMB's Program Assessment Rating Tool (PART) into the Department's 
overall strategic and performance management processes, and for having 
some of the highest PART scores government-wide. This prestigious 
award is the highest recognition given by the Federal Government for 
managerial excellence. 


8 



22 


• Accelerated Reporting - We completed our 2004 Performance and 
Accountability Report (PAR) by November 15, 2004 - a feat 
unimaginable just a few years ago. When I joined the Department in 
2002, it took about five months after year-end to complete the annual 
financial statement audit, as compared to just 45 days for FY 2004. 
Meeting this goal for the first time in 2004 is particularly noteworthy in 
light of our competing priorities to support our mission in Iraq and 
successfiilly relocate our global financial operations to Charleston, SC. 

• Financial Accountability - For the eighth consecutive year, we received 
an unqualified (or “clean”) audit opinion on the Department’s 2004 
financial statements, which was especially challenging under the 
accelerated reporting date of November 15. Only a handful of Federal 
agencies can tout such a long-running accomplishment. 

• Award-Winning Reports - For the third year in a row, the 
Department’s FY 2003 PAR received the most prestigious award in 
Federal financial reporting, AGA’s Certificate of Excellence in 
Accountability Reporting. State is one of only four cabinet-level 
agencies to receive this award for FY 2003. Also, for the second year, 
the League of American Communications Professionals selected the 
Department’s 2003 PAR Highlights report as one of the best 100 annual 
reports in America and placed it first among government reports. 

None of these successes would have been possible without a sound 
management control structure that permeates our organization - from the 
tone set by top management to the marmer in which transactions are 
processed on a daily basis, and every step in between. 

Our Current Control Program: A Best Practice 

Each year under FMFIA, the Department evaluates its management control 
systems. These evaluations provide reasonable assurance about whether the 
objectives of FMFIA are achieved and form the basis for the Secretary’s 
annual statement of assurance. Exhibit 1 depicts our current FMFIA annual 
assurance process. 

The Department’s management control program is overseen by the 
Management Control Steering Committee (MCSC), which I chair as the 
Assistant Secretary for Resource Management and Chief Financial Officer. 


9 



23 


The MCSC also includes nine other Assistant Secretaries [including the 
Chief Information Officer and the Inspector General (non-voting)], the 
Deputy Chief Financial Officer, and the Deputy Legal Adviser. State’s 
Office of Inspector General has served an important role as a collaborative 
partner with management through the MCSC, and adds value to the entire 
process. 

Individual assurance statements from Ambassadors assigned overseas and 
Assistant Secretaries in Washington, D.C. serve as the primary basis for the 
Department’s assurance that management controls are adequate. Individual 
assurance statements are based on information gathered from various 
sources including the managers’ personal knowledge of day-to-day 
operations and existing controls, management program reviews, and other 
management-initiated evaluations. In addition, the Office of Inspector 
General and the Government Accountability Office conduct periodic 
reviews, audits, inspections, and investigations of the Department’s 
programs and activities. 

To be considered a material weakness for FMFIA reporting purposes, the 
problem should be significant enough that it meets one or more of the 
following criteria. 

• Significantly impairs the fulfillment of the Department’s mission. 

• Deprives the public of needed services. 

• Significantly weakens established safeguards against waste, loss, 
unauthorized use or misappropriation of funds, property, other assets, 
or conflicts of interest. 

• Merits the attention of the Secretary, the President, or a relevant 
Congressional oversight committee. 

• Is of a nature that omission from the report could reflect adversely on 
the Department’s management integrity. 

During the last five years, the Department made significant progress by 
correcting each of its outstanding material weaknesses. In addition, there are 
no items specific to the Department on the Government Accountability 
Office’s High Risk List, and there have not been any since 1995. Exhibit 2 
shows the Department’s progress correcting and closing material 
weaknesses. 


10 



24 


In fiscal year 2002, the Department added the category of “reportable 
condition” to our program, which is now included in the revised Circular. 
Reportable conditions are less significant control matters that do not need to 
be reported under FMFIA but warrant MCSC monitoring and internal 
tracking. By introducing the reportable condition category of control 
weakness, the Department moved beyond merely fixing material weaknesses 
to actively identifying and preventing them. 

Implementing the Revised Circular: A “Green” Agency’s Perspective 

Building off of our successful FMFIA program and in the spirit of 
continuous improvement, we look forward to fully implementing the revised 
Circular. This provides us with the opportunity to take a fresh look at the 
effectiveness of our overall internal control program in today’s environment. 

While we expect to identify and implement certain improvements to our 
overall program, we do not expect wholesale changes. For instance, we 
envision a broader and more active role for our Management Control 
Steering Committee, particularly as it relates to internal control over 
financial reporting and the consideration of fraud within the Department 
(relating to Statement on Auditing Standards 99, Consideration of Fraud in 
a Financial Statement Audit). The MCSC will also play a key role in 
integrating other activities within the Department that contribute to our 
internal control structure. As mentioned previously, we already identify and 
track reportable conditions through the MCSC, so implementing this aspect 
of the revised Circular will not cause us additional effort. We intend to fully 
adopt COSO’s integrated framework for internal control, which will prompt 
revisions to our current FMFIA annual assurance process and related risk 
assessment tools. Of course, training would need to be provided at all levels 
of the Department to explain our enhanced internal control program and how 
each employee contributes to that program. 

Most of the changes to our overall control program will be implemented by 
State Department employees in the normal course of performing their daily 
activities, though some contractor support is planned. We are currently 
trying to determine whether our existing documentation of management 
control processes meets the requirements of the revised Circular. For 
instance, a starting point for us is to determine whether the documents 
produced in connection with our efforts to adopt the International 
Organization of Standardization’s ISO 9000 quality management standards 


11 



25 


would meet the requirements of revised Circular. Should we discover 
documentation gaps, there will be resource implications. 

The requirements of Appendix A present the most significant challenge to 
us. While we have extensive documentation of certain financial reporting 
processes and controls, we do not believe that the documentation is 
sufficiently comprehensive to fully satisfy the Circular’s requirements. This 
is another area in which we are actively trying to determine the resource 
implications of fully implementing the revised Circular. As both a cross- 
servicing agency and a customer of other Federal service organizations, we 
are assessing the impact of the new requirement for service organizations to 
provide annual assurance statements, based on control testing, to their 
customers. We are using a contractor skilled in audit techniques to assist us 
in implementing the requirements of Appendix A. 

We expect to incur one-time cost increases in 2005 and 2006 as we 
concentrate on first-time documentation and assessment efforts. We 
anticipate these costs dropping off and stabilizing for 2007 and beyond. It is 
too soon to quantify the impact of fully implementing the revised Circular. 
Once we comply with Appendix A, we expect our financial statement 
auditors to use management’s work as a starting point for conducting the 
audit, which may yield some audit savings. 

We view this revised Circular as an important means of appropriately 
managing the risk associated with Federal programs and activities to 
discharge our responsibilities as stewards of public funds. As a “green” 
agency, we will not rest on our accomplishments. As contemplated under 
the PMA Scorecard, we are continuously seeking to improve further our 
management of the State Department. The revised Circular provides us with 
the framework and tools needed to make significant advancements to our 
internal control infrastructure. 


Conclusion 


The CFO community appreciates the opportunity to implement the important 
policies included in the revised Circular A- 1 23 in a systematic and orderly 
fashion. It is critical for management to understand, document, and assess 
its internal control over financial reporting to attain stewardship over 
taxpayer funds. We believe that the Circular, when fully implemented, wilt 
drive further improvements in the accuracy and timeliness of Federal 


12 



26 


financial reporting. We also believe that the revised Circular will cause 
agencies, such as the State Department, to re-examine existing control 
programs to identify opportunities to strengthen controls over the entire 
portfolio of Federal programs and operations. 

Thank you, Mr. Chairman, for allowing me to share my views on OMB’s 
revised Circular A- 123. My colleagues in the CFO Council and I appreciate 
your leadership and the Committee’s on this and other Federal financial 
management initiatives. I look forward to answering any questions you may 
have. 


13 



27 


Exhibit 1 : State’s FMFIA Annual Assurance Process 



Exhibit 2: State’s Material Weaknesses (FY 2000 through 2004) 


MATERIAL WEAKNElSSES BY FISCAL YEAR 


Fiscal 

Year 

Number at 
Begiiuiing 
of Fiscal 
Year 

Nuniber 
. Corrected 

1 . 1 

Number 

Added 

Number 
Remaining 
at End of 
Fiscal Year 

1999 

10 

7 

0 

3 


3 

2 

2 - 

3 

2001 

3 

0 

0 

3 

2002 

3 

3 

0 

0 

2003 

0 

0 

0 

0 

2004 

0 

0 

0 

0 


i Note 1 : Reported by State as a result of the merger with the United States 
I Information Agency. 


14 




28 


Drafted: RM/DCFO/FPRA;SConley 
2/10/05; ext. 31447 


Cleared: D:EYoung (ok) 

P:MWong (ok) 

S/P:EGreen (ok) 

M:SFeeley (ok) 

M/P:DWertman (ok) 

RM/DCFO:CFlagg.s (ok) 

RM/CFO:CScalzo (ok) 

H:SEdmondson (ok) 


cc: RM/BP - Eric Hembree/Steve Dietz 

RM/SPP - Sid Kaplan/Jason Foley 


15 



29 


Mr. Platts. Thank you, Secretary Burnham. 

Before we move on, I do want to recognize our vice chairwoman 
for the subcommittee, the gentlelady from North Carolina Ms. Foxx 
has joined us. Thanks for being with us. 

Inspector General Higgins. 

STATEMENT OF JOHN P. HIGGINS, JR., INSPECTOR GENERAL 
OF THE DEPARTMENT OF EDUCATION 

Mr. Higgins. Mr. Chairman and members of the subcommittee, 
on behalf of the President’s Council on Integrity and Efficiency, 
thank you for the opportunity to discuss our perspectives on the 
changes made to 0MB Circular A-123, Management’s Responsibil- 
ity for Internal Control. I would also like to thank the committee 
for its dedication to the goal of improving financial management 
Government- wide, as well as its interest in legislation that would 
enhance the independence of the Inspectors General. 

The Federal Managers Financial Integrity Act of 1982 and 
OMB’s implementing guidance contained in A-123 defined manage- 
ment’s responsibility for internal control in Federal agencies, and 
are the center of the existing Federal requirements to improve in- 
ternal control. Other significant legislation passed since the pas- 
sage of the Integrity Act continued to highlight the importance of 
efficient and effective internal controls. 

My testimony will focus on four points: first, the importance of 
effective internal controls; second, how the audit community can co- 
ordinate its efforts with those of agency management; third, our 
perspectives on how the recent changes to A-123 may affect Fed- 
eral financial management in general; and fourth, our views on fu- 
ture legislative action on Federal financial management. 

Internal control is important because it is the first line of defense 
in safeguarding assets and preventing and detecting errors and 
fraud. Effective internal controls help ensure accountability for re- 
sources, achievement of organizational objectives and availability of 
improved information for external reporting and internal manage- 
ment decisions. 

In short, internal control is a key factor in helping agencies 
achieve effective and efficient operations, reliable financial report- 
ing and compliance with applicable laws and regulations. It is a 
fundamental and statutory responsibility of management to insti- 
tute effective internal controls, assess them periodically and make 
course corrections as needed. Events of high profile fraud and mis- 
management in the private sector and the Federal Government’s 
own financial reporting problems have resulted in the increased 
focus on management’s responsibility for internal control and dis- 
pelled the myth that internal control is but a mere academic exer- 
cise or it is of interest only to auditors and accountants. 

We must realize, however, that having effective internal control 
is not a guarantee that agencies will achieve the objectives of inter- 
nal control. Effective internal control is designed to provide reason- 
able, not absolute, assurance of achieving those objectives. Estab- 
lishment of specific controls is subject to cost benefit consider- 
ations, availability of resources to implement the controls, and any 
limitations or restrictions imposed by legislation. Effective internal 



30 


controls also may be overridden by management and circumvented 
through collusion. 

My second point is how the audit community and agency man- 
agement coordinate on internal control issues. This occurs at both 
the agency and Government-wide levels. There is ongoing coordina- 
tion between agencies and their OIGs that can be helpful to agen- 
cies as they work to implement new guidance. Coordination be- 
tween the audit community and agency management on internal 
control matters is inherent in the OIG’s mission. The resolution of 
audit fundings provides a primary avenue for OIGs and agency 
management to discuss control assessments and propose corrective 
actions. 

At the Government-wide level, the type of cooperation that oc- 
curred between the CFO Council and the PCIE on the revisions to 
A-123 is not uncommon. The audit community, under the PCIE, 
periodically works with the CFO Council on internal control and 
management issues. An example is the joint CFO Council and 
PCIE Working Group on Improper Payments. This collaborative 
work group’s mission is to facilitate the reduction of improper pay- 
ments throughout the Federal Government. 

These ongoing efforts to address internal control issues are a nat- 
ural outgrowth of the responsibilities and relationships that OIGs 
have with their agencies. While the work of the OIGs can be help- 
ful to agencies as management makes its own assessments, it can- 
not replace management’s own assessment efforts, which is con- 
templated under the new guidance. In addition, the OIG must 
guard against consulting type arrangements that might impair our 
independence for performing future audits. 

Third, I would like to turn our attention to major changes in A- 
123 and their potential impact on Federal financial management. 
In the past, the implementation of the Integrity Act has been in- 
consistent. The impact of the recent changes to A-123 depends on 
how aggressively an agency assessed its controls under the old 
guidance and how it will implement the new guidance. 

The most significant change is the new requirement for manage- 
ment to assess and document internal control over financial report- 
ing and to provide a corresponding assurance statement annually 
that asserts the effectiveness of internal control over financial re- 
porting. 

Another significant change is the more specific and strengthened 
requirement for management to have a clear, organized strategy 
with well-defined documentation processes that contain an audit 
trail, verifiable results, and specify document retention periods. 
This would enable someone not connected with the procedures to 
understand the assessment process. The documentation standard 
pertains to all internal control assessments management performs, 
not just those related to controls over financial reporting. 

Another significant change is OMB’s inclusion of the provision 
requiring an opinion on internal controls over financial reporting, 
if an agency continually misses agreed upon deadlines for correct- 
ing material weaknesses. This was a prudent, cost-effective way to 
provide flexibility to address serious, longstanding problems with- 
out forcing a one size fits all approach Government-wide. 



31 


In the end, the effectiveness of the Integrity Act depends on 
management’s commitment to the intent of the legislation and im- 
plementing guidance. If aggressively implemented in a cost-effec- 
tive manner, the resulting improvements to internal control should 
assist Government program managers in achieving desired results 
through effective stewardship of public resources. 

Finally, let me turn to my fourth point on future legislative ac- 
tion. Effective internal controls and financial management are core 
concerns of the PCIE community. We appreciate the opportunity to 
communicate with you and the CFO Council on these issues today. 
As your subcommittee moves forward to consolidate laws affecting 
these areas, we in the IG community welcome the opportunity to 
continue the dialog and provide assistance. The reassessment of fi- 
nancial management requirements of Federal agencies should be 
conducted in a cautious and deliberate manner, carefully consider- 
ing the costs and the anticipated benefits of the changes. 

This concludes my statement, and I would be happy to answer 
any questions. 

[The prepared statement of Mr. Higgins follows:] 



32 


Statement of John P. Higgins, Jr. 

Inspector General of the Department of Education 
and 

Chair of the Audit Committee 
President’s Council on Integrity and Efficiency 

Before the 

Subcommittee on Government Management, Finance and Accountability 
Committee on Government Reform 
United States House of Representatives 

February 16, 2005 


Mr. Chairman and Members of the Subcommittee: 

On behalf of the President’s Council on Integrity and Efficiency (PCIE), thank you for 
the opportunity to discuss our perspectives on the changes made to the Office of 
Management and Budget (0MB) Circular A-123, Management's Responsibility for 
Internal Control {A-123). I would also like to thank the committee for its dedication to 
the goal of Improving financial management government-wide. 

The Federal Manager’s Financial Integrity Act of 1982 (FMFIA) and OMB’s 
implementing guidance contained in A-123 define management's responsibility for 
internal control in Federal agencies, and are the center of the existing Federal 
requirements to improve internal control. Other significant laws since passage of 
FMFIA continued to highlight the importance of efficient and effective internal controls 
to improving financial management and programmatic performance. Examples of such 
laws include the Chief Financial Officers Act of 1990, the Government Performance and 
Results Act of 1993, the Federal Financial Management Improvement Act of 1996, and 
the Clinger-Cohen Act, to name a few. 

My testimony will focus on the importance of effective internal control, why A-123 was 
revised, how the audit community can coordinate its independent role with agency 
management’s requirement to assess the effectiveness of internal control, our perspective 
on how the recent changes to A-123 may affect Federal financial management in general, 
and our views on future legislative action on Federal financial management. 

I. Importance of Internal Control 

Effective internal control is a key factor in helping agencies to achieve the following 
objectives: 

• Effectiveness and efficiency of operations and programs; 

• Reliability of financial reporting, including reports on budget execution, financial 
statements, and other reports for external and internal decision-makers; and 


1 



33 


• Compliance with applicable laws and regulations. 

Internal control also serves as the first line of defense in safeguarding assets and 
preventing and detecting errors and fraud. 

FMFIA required the Government Accountability Office (GAO) to issue standards for 
internal control in the Federal government. The latest version of the standards was issued 
in November 1999 and is based on the private sector internal control guidance known as 
Internal Control — Integrated Framework, published by the Committee of Sponsoring 
Organizations of the Treadway Commission (COSO). GAO discusses the fundamental 
objectives identified above and establishes five standards of internal control that define 
the minimum level of quality acceptable for internal control in the Federal government 
and provide the basis against which internal control is to be evaluated. The five standards 
for internal control are: 

• Control Environment, 

• Risk Assessment, 

• Control Activities, 

• Information and Communications, and 

• Monitoring. 

It is a fundamental and statutory responsibility of management to institute effective 
controls, assess them periodically, and make course corrections as needed, to ensure 
accountability for resources and achievement of organizational objectives. Events of 
recent years have dispelled the myth that internal control is but a mere academic exercise 
or is of interest only to accountants or auditors. High profile fraud and mismanagement 
in the private sector, and the Federal government’s own financial reporting problems, 
have resulted in an increased focus on management’s responsibility for internal control. 

My own office’s audit and investigative efforts have shown weak or poorly executed 
internal controls to be at the heart of problems that led to poor management decisions, 
ineffective financial reporting, and outright theft and fraud. For example, in recent work, 
we have recommended that the Department of Education improve internal controls to 
ensure that the data used to identify the most at-risk schools is complete, accurate, and 
applicable to the schools being evaluated. Other work found a guaranty agency’s claim 
review process for defaulted loans was not adequate to ensure that it claimed reinsurance 
only when appropriate. 

Conversely, Education’s success as one of the first cabinet level agencies to earn an 
unqualified or clean opinion on its financial statements by the accelerated date of 
November 15, 2003, one year ahead of the requirement, is due primarily to a sustained 
commitment by management to improving controls in the area of financial reporting. As 
these and future financial reporting improvements take hold across government, agencies 
should have better information for external reporting and internal management decisions. 


2 



34 


As important as internal control is, 1 do want to point out that having effective internal 
control is not a guarantee that the previously mentioned objectives of internal control will 
be achieved. Effective internal control is designed to provide reasonable, not absolute, 
assurance of achieving those objectives. Also, the establishment of specific controls is 
subject to cost/benefit considerations, availability of resources, and any limitations or 
restrictions imposed by law. Effective internal controls also may be overridden by 
management and circumvented through collusion. 

II. Why OMB Circular A- 123 was Revised 

The generally accepted importance of internal control, recent financial reporting 
problems in both the Federal government and private sector, and the resulting new 
internal control requirements for public companies under the Sarbanes-Oxley Act of 2002 
(Sarbanes-Oxley), converged to lead OMB to convene a joint committee of the Chief 
Financial Officers Council (CFO Council) and PCIE to reassess internal control 
requirements in the Federal government. The new A- 123 guidance resulted from that 
joint effort. 

The joint committee considered that at the heart of Sarbanes-Oxley is the new 
requirement that management of publicly traded companies assess the effectiveness of 
internal control over financial reporting and that the independent auditors provide an 
opinion on those controls. While FMFIA and A- 123 had already required Federal 
government management to make an assertion about controls, the committee concluded 
that the guidance should be revisited in light of Sarbanes-Oxley, 

The result was an increased focus on management’s assessment and improvement of 
internal control over financial reporting, more stringent documentation requirements for 
all of management’s internal control assessment activities under FMFIA, and inclusion of 
a non-compliance clause that permits OMB to require an agency to obtain an audit 
opinion over the internal control over financial reporting if agreed upon deadlines for 
correcting material weaknesses are not met. 

III. Coordination Between the Audit Community and Agency Management on 
Internal Control Issues 


The type of cooperation that occurred between the CFO Council and PCIE on the 
revisions to A- 123 is not uncommon. The Inspector General Act of 1978 (IG Act) has as 
one of its purposes . .to create independent and objective units. . .to provide leadership 
and coordination and recommend policies for activities designed (A) to promote 
economy, efficiency, and effectiveness in the administration of, and (B) to prevent and 
detect fraud and abuse in. . .programs and operations.” There is an ongoing coordination 
between agencies and their OIGs that can be helpful to the agencies as they work to 
implement the new guidance. However, we must guard against consulting type 
arrangements that might impair our independence for performing future audits. 


3 



35 


Coordination between the audit community and agency management on internal control 
matters is inherent in the OIG’s mission. The continuing assessment of controls 
surrounding an agency’s programmatic, financial and compliance efforts, and the 
subsequent public reporting of the results require this coordination. The requirements of 
A-123 are the responsibility of an agency’s management and not its auditors. Therefore, 
while OIG work can be a useful supplement to management’s own assessments of 
controls and plans for corrective actions, and can provide an independent validation of 
management’s assessments, OIG work does not replace management’s efforts. 

The resolution of audit findings provides a primary avenue for OIGs and agency 
management to discuss control assessments and corrective actions. The audit resolution 
process, where the auditors and agency management reach agreement on corrective 
actions for reported OIG findings, is a fundamental part of the PCIE community’s work. 
While the final decision about how to implement corrective actions is a management 
decision, there is still significant coordination and communication between the OIG and 
management on the course of action to be taken. 

Another avenue for coordination on internal control issues is in the requirements of the 
Reports Consolidation Act of 2000. This act requires each IG to summarize what the IG 
considers to be the most serious management and performance challenges facing the 
agency and briefly assess the agency’s progress in addressing those challenges. This is 
included in the agency’s annual Performance and Accountability Report, along with the 
audited financial statements and auditor’s reports. 

My office currently has two special efforts underway with Education’s management that 
address internal control issues. The first is a joint effort by my office and the Department 
of Education to develop a systematic process for identifying fraud types, both actual and 
potential, in the Student Financial Aid (SFA) programs. A second effort is an on-going 
campaign to alert students to the threat of identify theft by updating our website, 
www.ed.gov/misused . with information concerning recent scams against the SFA 
programs. This website was developed in conjunction with the Department’s Office of 
Federal Student Aid (FSA). 

At the government-wide level, the audit community under the PCIE periodically works 
with the CFO Council on internal control and management issues. An example is the 
Joint CFO Council and PCIE Working Group on Improper Payments. This collaborative 
Working Group’s mission is to facilitate the reduction of improper payments throughout 
the Federal government. The Working Group researched improper payments, critiqued 
potential methods of identifying and quantifying improper payments, developed improper 
payment indicators, and established benchmarks for measuring and preventing improper 
payments. In addition, the Working Group developed a common format for reporting 
improper payment results in agencies’ Performance and Accountability Reports. 

These ongoing efforts to address internal control issues are a natural outgrowth of the 
responsibilities and relationships OIGs have with their agencies. The work of the OIGs, 


4 



36 


while helpful to the agencies as they make their own assessments, cannot replace 
management’s assessment efforts contemplated under the new guidance, 

IV. Significant Changes to A- 123 and the Impact on Federal Financial Management 

I would like to turn our attention to the major changes to A-123 and their potential impact 
on Federal financial management. 

Across the government, the implementation of FMFIA has been inconsistent. GAO 
reports for several years have noted agency FMFIA reporting that does not accurately 
characterize or fully disclose the weaknesses in their controls. And in some cases, 
agencies have settled into a pattern of reporting what the OIG or GAO may find, with 
little or no emphasis on management performing its own risk assessments and control 
testing. The impact on Federal financial management of the recent changes to A-123 
depends on how aggressively an agency assessed its controls under the old guidance, and 
how it implements the new requirements. 

The most significant change is the new requirement for management to assess and 
document internal control over financial reporting, and provide a corresponding 
assurance statement annually that asserts to the effectiveness of internal control over 
financial reporting as of June 30'*'. A separate appendix addressing this area was added to 
A-123 and provides specific requirements for conducting management’s assessment of 
the effectiveness of internal control over financial reporting. This emphasizes that 
management, and not the financial statement auditor, is responsible for implementing and 
assessing controls over financial reporting. Having an annual assessment by management 
will help ensure that once an agency has effective internal control, it will not deteriorate 
over time as personnel change and financial systems are replaced or changed. This 
renewed emphasis is critical to ensuring that agencies have good financial management 
information for managing their operations and should assist the Federal government in 
eventually receiving an unqualified opinion on its financial statements. 

Another significant change is the more .specific and strengthened requirement for 
management to “have a clear, organized strategy with well-defined documentation 
processes that contain an audit trail, verifiable results, and specify document retention 
periods so that someone not connected with the procedures can understand the 
assessment process.” This documentation standard pertains to all the internal control 
assessments management performs, not just those related to controls over financial 
reporting. 

Updating the language and definitions in A-123 to align with the language in the COSO 
framework, the GAO internal control standards and the auditing literature should help 
eliminate confusion over what interna! control really is, and promote a common 
understanding of materiality when assessing and reporting on internal control over 
financial reporting. It will be interesting to see if the new definition of reportable 
condition results in the reporting of more internal control deficiencies, which could 
provide the impetus for additional improvements in agencies’ financial management. 


5 



37 


We also agree with 0MB ’s inclusion of the provision requiring an opinion on internal 
controls over financial reporting, if an agency continually misses agreed-upon deadlines 
for correcting material financial control weaknesses. This was a prudent, cost effective 
way to provide flexibility to address serious, longstanding problems, without forcing a 
one size fits all approach government-wide. 

The argument could be made that in the government arena, FMFIA and A- 123 
requirements have been around for a long time and the incremental costs should not be 
significant. However, the two documentation requirements described above could have 
significant resource impacts on the agencies implementing them. Both requirements 
provide greater specificity regarding what an agency should document and retain in 
support of its assessment of internal control. Similar type changes in the private sector 
suggest that, if aggressively implemented, the A- 123 requirements could have significant 
costs associated with them. For example, much has been written about the impact of 
implementing the Sarbanes-Oxley requirement for a management assertion on the 
effectiveness of internal control over financial reporting of public companies, including 
the costs of enabling management to make the required assessments and assertions. 

There has also been discussion about the impact on accountants and auditors as 
companies compete for a limited pool of resources to help them meet their new 
responsibilities, and on CPA firms as they pare back smaller clients and reassign staff to 
the large public companies that must address the new requirements. This gives us an 
indication of increased costs associated with implementing the required assessments in 
A-123. 


In the end, the effectiveness of FMFIA depends on management's commitment to the 
intent of the law and implementing guidance. If aggressively implemented in a cost 
effective manner, the resulting improvements to internal control should assist government 
program managers in achieving desired results through effective stewardship of public 
resources. 

V. Future Legislative Action on Federal Financial Management 

Effective internal control and financial management are core concerns of the PCIE 
community, and we appreciate the opportunity to communicate with you on these issues 
today. As your subcommittee moves forward to address the patchwork of laws affecting 
these areas, we in the IG community welcome the opportunity to continue the dialogue 
and provide assistance. Our accumulated experience in reviewing Federal operations 
since passage of the Inspector General Act over 25 years ago could provide valuable 
insight for a reassessment of the existing financial management laws. Finally, the 
reassessment of financial management requirements of Federal agencies should be 
conducted in a cautious and deliberate manner, carefully considering the costs and 
anticipated benefits of any changes. 

This concludes my statement. I would be happy to answer any questions you may have. 


6 



38 


Mr. Platts. Thank you. Mr. Steinhoff. 

STATEMENT OF JEFFREY C. STEINHOFF, MANAGING DIREC- 
TOR, FINANCIAL MANAGEMENT AND ASSURANCE, U.S. GOV- 
ERNMENT ACCOUNTABILITY OFFICE 

Mr. Steinhoff. Mr. Chairman, members of the subcommittee, 
I’m very pleased to be here today to talk about internal control and 
OMB’s recent changes to Circular A-123. Internal control gets to 
the heart of accountability. The subcommittee’s focus on this topic 
is very timely and most important. Your continuing leadership has 
been a catalyst to the broad accountability improvements we see 
across the Government today. 

The Congress has long recognized the importance of internal con- 
trol. Over five decades ago, the Budget and Accounting Act of 1950 
placed the responsibility for internal control squarely on the shoul- 
ders of management. Management was told that they were respon- 
sible for maintaining sound systems of internal control. That was 
made very, very clear. 

In 1982, when faced with a series of major internal control 
breakdowns, the Congress responded with the Federal Managers’ 
Financial Integrity Act. In many respects, this action by the Con- 
gress put us two decades ahead of the private sector, which is now 
in some cases grappling for the first time with documenting con- 
trols and doing some of the things that Federal agencies have been 
doing for many years. 

This straightforward, two-page law reaffirms that sound internal 
control is a fundamental responsibility of management, and re- 
quires that agency heads sign their name on the dotted line each 
year as to whether their internal control systems meet the require- 
ments established by the Comptroller General. This is where Cir- 
cular A-123 comes in. It represents OMB’s guidance for assessing 
and reporting on internal control under the act. 

In short, we support the recent changes to A-123 and view them 
as a welcome step forward. We applaud the efforts of the adminis- 
tration to what I call revitalize this important act. 

I want to spend a few minutes highlighting what I think will be 
six issues critical to effectively implementing these changes, and in 
doing so speaking to some of the lessons learned from the early 
years of FMFIA. First, we support OMB’s plans to provide further 
implementation guidance. These materials should demand an ap- 
propriate rigor to whatever assessment and reporting process man- 
agement adopts. Management should have flexibility to do what 
makes sense in their environment. 

But at the same time, whatever guidance is issued, everyone 
must make sure that this does not become a paperwork exercise. 
In the initial years of FMFIA, agencies almost drowned in paper. 
Sometimes it seemed that the assessment and reporting process 
had become the end game. That’s why in 1995, 0MB relaxed the 
assessment and reporting requirements. But the pendulum, I 
think, swung too far then and you saw very mixed implementation 
of the act. That required the recent recalibration or the changes to 
Circular A-123, to put this important accountability component 
fully back on the radar screen. So again, as I mentioned before, 
this is very, very welcome and very, very timely. 



39 


Second, while the revised Circular focuses on internal control 
over financial reporting, which is very appropriate, agencies must 
also remain vigilant to the broader range of internal controls that 
cover program operations, which are exemplified by the 25 areas on 
GAO’s high risk list and are clearly the focus of FMFIA. 

Third, there will need to be strong support for managers 
throughout an agency, both because of the broader nature of 
FMFIA, about which I just spoke, but also because the CFO typi- 
cally does not control all the systems and processes needed for fi- 
nancial reporting. For example, at DOD about 80 percent of the in- 
formation needed for financial reporting comes from non-financial 
systems, such as logistics, procurement, or personnel systems. 
These systems are not under the purview of the Comptroller. 

Fourth, assessments will have to be risk-based, and the appro- 
priate balance reached between the costs and benefits of controls. 
In focusing on controls, you need to have the right controls at the 
right time and the right place, and to guard against both under 
and over control. I’m speaking not only about having cost-effective 
processes for assessment but assuring cost-effective controls as 
well. Because while the Government certainly has serious weak- 
nesses in areas where controls must be strengthened, I think there 
are many opportunities to streamline and simplify controls as well. 

Fifth, management testing of controls in operation will be impor- 
tant to knowing what is working well and what is not. The auditor 
can be a help here; but this job is a basic ongoing management re- 
sponsibility and should not be just shifted to the auditor. This is 
something you’ve got to be doing day to day, every day. 

Sixth, management has to be held accountable for doing the right 
thing. If there are serious internal control breakdowns and it is de- 
termined that management has not been vigilant in implementing 
FMFIA and following the concepts that are in the 0MB circular, 
there should be some consequence for this. People do react and do 
act if they see there are incentives and disincentives. I think that 
was oftentimes lacking in the past. 

Annual oversight hearings, combined with linkage to the appro- 
priations process for agencies that are not doing the job, and are 
valuable tools. And I don’t mean that just because an agency has 
a weakness, that they are not doing the job. They might have in- 
herited some deeply rooted problems they are still working on. So 
one must make both a qualitative and quantitative decision there. 
But oversight hearings and the appropriations process are two 
ways that Congress can make its voice heard and hold managers 
accountable. 

Let me touch on one final matter: auditor opinions on internal 
control over financial reporting, a concept we have long supported 
and continue to support. At GAO we practice what we preach. Not 
only do we render opinions of internal control over financial report- 
ing for the entities that we audit, the Bureau of the Public Debt, 
IRS, the FDIC, and soon to be SEC, but we also have our inde- 
pendent auditor render an opinion on our internal control over fi- 
nancial reporting. 

We believe that the joint GAO-PCIE financial audit manual 
holds the key to getting this important job done at a reasonable 
cost. We look forward to working with the CFOs and the IGs as 



40 


they conduct the mandated cost benefit study. We want to do this 
right, and to roll it out in a way that makes sense. I think it should 
not be a matter of “if’ this is ultimately done. It’s “when” it’s done 
and if it’s done in a way that adds value. 

Also as he discussed with you last week in his testimony on the 
audit of the 2004 consolidated financial statements of the U.S. Gov- 
ernment, the Comptroller General has been discussing this issue 
with the JFMIP principals. 

Mr. Chairman, this concludes my summary remarks. I want to 
again thank you and the members of the subcommittee for your im- 
portant leadership. I would be pleased to answer any questions 
that you may have. 

[The prepared statement of Mr. SteinhofF follows:] 



41 


United States Government Accountability Office 


GAO 

Testimony 

Before the Subcommittee on Government Management, 
Finance, and Accountability, Committee on Government 
Reform, House of Representatives 

For Release on Delivery 

Expected at 2:00 p.m. EST 
Wednesday, February 16, 2005 

FINANCIAL 

MANAGEMENT 


Effective Internal Control 

Is Key to Accountability 


statement of Jeffrey C. Steinhoff 

Managing Director, Financial Management and Assurance 


i 

^ G A 0 

Accountability * Integrity * Reiiabllity 


GAO-05-321T 




42 


A GAO 

Higiiliglrts 

Highlights of GAO-05-321T, a report to the 
Subcommittee on Government 
Management, Finance, and Accountability, 
Committee on Government Reform, 

House of Representatives 


Why GAO Did This Study 

Internal control is at the heart of 
accountability for our nation’s 
resources and how effectively 
government uses them. This 
testimony outlines the importance 
of internal control, summarizes the 
Congress’s long-standing interest in 
internal control and the related 
statutory framework, discusses 
GAO’S experiences and lessons 
learned f^m agency a^essments 
since the early 1980s, and provides 
GAO’s views on the Office of 
Management and Budget’s (0MB) 
recent revisions to its Circular A- 
123. 

GAO highlights six i^ues 
important to successful 
implementation of the revised 
Circular, specifically, the need for 

1. supplemental guidance and 
implementation tools; 

2. vigilance over the broader 
range of controls covering 
progmn objectives; 

3. strong Siipport from managere 
throughout the agency, and at 
all levels; 

4. risk-based assei^ments and an 
appropriate bailee between 
the costs and benefits of 
controls; 

5. management testing of controls 
in operation to a^ese if they 
are designed adequately and 
operating effectively; and 

6. management accountability for 
control breakdowns. 

Finally, GAO dfecusses its views on 
the importance of auditor opinions 
on interna! control over financial 
reporting. 

www.gao.gov/cgi-birv'gatq3t?GAO-05-32iT. 

To view the full product, including tfie scc^ 
and methodolo^, click on the link above. 
For more information, contact McCoy 
Williams at (202) 512-6906 or 
williamsmi ©gao.gov. 


Febmary 16, 2(K}S 


FINANCIAL MANAGEMENT 

Effective Internal Control Is Key to 
Improving Accountability 


What GAO Found 

Internal ccmtrol represents an organization's plans, methods, and procedures 
used to meet its missions, goals, and objectives and serves as the first line of 
defense in safeguarding assets and preventing and detecting errors, fraud, 
waste, abuse, and mismanagement. Internal control provides reasonable 
assurance that an organizations’ objectives are achieved through 
(1) effective and efficient operations, (2) reliable financial reporting, and 
(3) compliance with laws and regulations. 

The Congress has long recogni^d the importance of intern^ control, 
beginning with the Budget and Acaiunting Procedures Act of 1950, which 
placed primary responsibility for establishing and maintaining internal 
control sciuarely on the shoulders of management. In 1982, when faced with 
a number of highly publicized internal control breakdowns, the Congress 
passed the Federal Managers’ Financial Integrity Act (FMFIA). FMFIA 
required agency heads to establteh a continuous process for assessment and 
improvement of their agency’s internal control and to annually report on the 
status of their efforts. In addition the act required the Comptroller General to 
issue internal control standards and 0MB to issue guideUnes for agencies to 
follow in assessing their internal controls. 

GAO monitored and reported on FMFIA implementation efforts across the 
government in a series of four reports from 1984 through 1989 as well as in 
numerous reports targeting specific agencies and programs. With each 
report, GAO noted the efforts under way, but also that more needed to be 
done. In 1989, GAO concluded that while internal control was Improving, 
the efforts were clearly not producing the results intended. The a^ssment 
and reporting process itself appeared to have become the endgame, and 
many serious internal control and accounting systems weaknesses remain 
unresolved as evidenced by GAO's high risk report which highlights serious 
long-standing internal control problems, 

In 1995, 0MB made a mtyor revision to its guidance that provided a 
framework for integrating internal control assessments with other work 
performed and relaxed the assessment and reporting requirements, giving 
the agencies discretion to detennine the tools to use in arriving at their 
annual FMFIA assurance statements. OMB’s recent 2004 revisions to the 
internal control guidance are intended to strengthen the requirements for 
conducting management’s assessment of control over financial reporting. 

GAO supports OMB’s recent changes to Circular A-123 and in particular the 
principles-based approach for establishing and reporting on internal control. 
GAO also noted six specific issues that are important to successful 
implementation of OMB’s revised guidance and discusses its views on the 
importance of auditor opinions on internal control over financial reporting. 


.United States Government Accountability Office 


43 


Mr. Chairman and Members of the Subcommittee: 

I am pleased to be here today to discuss the importance of sound interna] 

control as the foundation of accountability and the recent revisions by the 

Office of Management and Budget (0MB) to its Circular A-123, 

Management's Responsibility for Internal. Control. 

Today, I would like to 

• highlight the key concepts underlying internal control; 

• summarize the Congress’s long-standing interest in internal control and 
the related st^utory framework; 

• outline early experiences and lessons learned from implementation of 
31 U.S.C. 3512 (c), (d), commonly known as the Federal Managers’ 
Financial Integrity Act of 1982 (FMFIA); 

• provide our views on the recent revisions to Circular A-123 and the 
issues critical to effectively implementing these changes; and 

• discuss our views on the auditor’s role in reporting on internal control. 


The Key Concepts 
Underlying Internal 
Control 


Internal control represents an organization’s plans, methods, and 
procedures used to meet its missions, goals, and objectives and serves as 
the first line of defense in safeguarding assets and preventing and detecting 
errors, fraud, waste, abuse, and mismanagement. Internal control is to 
provide reasonable assurance that an organization's objectives are 
achieved through (1) effective and efficient operations, (2) reliable 
financial reporting, and (3) compliance with laws and regulations. 
Safeguarding of assets is a subset of all these objectives. The term 
“reasonable assurance" is important because no matter how well-designed 
and operated, internal control cannot provide absolute assurance that 
agency objectives will be met Cost-benefit is an important concept to 
internal control considerations. Internal control is very broad and 
encompasses all controls within an organization, covering the entire 
mission and operations, not just financial operations. 


GAO-05-321T 



44 


One need only to look at GAO’s January 2005 High-Risk Series: An 
Update, * in which we identify 25 areas of high risk for fraud, waste, abuse, 
and mismanagement, to see the breadth of internal control. While these 
areas are very diverse in nature, ranging from weapon systems acquisition 
to contract management to the enforcement of tax laws to the Medicare 
and Medicaid programs, all share the common denominator of having 
serious internal control weaknesses. In addition, as the Comptroller 
General testifiwl^ before the House Committee on Government Reform last 
week, certain material weaknesses in internal control have contributed to 
our inability to provide an opinion on whether the consolidated financial 
statements of the U.S. government are fairly stated in conformity with U.S. 
generally accepted accounting principles. Internal control weaknesses are 
also at the heart of the over $45 billion in improper payments reported by 
the federal government in fiscal year 2004 across a range of programs. 
Further, internal control includes things such as screening of air 
passengers and baggage to help address the risks associated with 
terrorism, network firewalls to keep out computer hackers, and credit 
checks to determine the creditworthiness of potential borrowers. 


The Congress Has Long 
Recognized the 
Importance of Internal 
Control 


The Congress has long recognized the importance of internal control, 
beginning with the Budget and Accounting Procedures Act of 1960,^ over 50 
years ago. The 1950 act placed primary responsibility for establishing and 
maintaining internal control* squarely on the shoulders of agency 
management. As I will discuss later, the auditor can serve an important 
role by independently determining whether management’s internal control 
is adequately designed and operating effectively and making 
recommendations to management to improve internal control where 
needed. However, the fundamental responsibility for establishing and 
maintaining effective internal control belongs to management. 


‘GAO, High-Risk Series: An Update, CtAO-0I)-207 (Washington, D.C.; January 2005). 

^GAO, Fiscal Year 2004 U.S. Government Finayicial Statements: Sustained Improvement 
in Federal f'iTiancial Management Is Crveial to Addressing Our Nation's Future Fiscal 
ChaUenges, GAO-05-284T (Washmgton, D.C.: Feb, 9, 2006). 

“Budget rmd Accounting Procedures Act of 1950, ch. 946, 64 Stat. 832 (1950). 

The act used the phrase "systems of accounting and internal control.” 


Page 2 


GAO-06-321T 




45 


In 1982, when faced with a number of highly publicized interna! control 
breakdowns, the Congress passed FMFIA^ with a goal of strengthening 
internal control and accounting systems. This two-page law, a copy of 
which is in appendix I, defined internal control® broadly to include 
program, operational, and administrative controls as well as accounting 
and finsmcial management, and reaffirmed that the primary responsibility 
for adequate systems of internal control rests with management. Under 
FMFIA, agency heads are required to establish a continuous process for 
assessment and improvement of their agency’s internal control and to 
publicly report on the status of their efforts by signing annual statements of 
assurance as to whether internal control is designed adequately and 
operating effectively. Where there are material weaknesses, the agency 
heads are to disclose the nature of the problems and the status of 
corrective actions in an annual assurance statement. Today, agencies are 
generally meeting their FMFIA reporting requirement by including this 
information in their Performmice and Accountability reports, which also 
include their audited financial statements. The act also required that the 
Comptroller General establish internal control standards and that 0MB 
issue guidelines for agencies to follow in assessing their internal control 
against the Comptroller General’s standards. 

0MB first issued Circular A-123, then entitled Internal Control Systems, in 
October 1981, in anticipation of FMFIA becoming law. In December 1982, 
following FMFIA enactment, 0MB issued the assessment guidelines 
required by the act. OMB’s Guidelines for the Evaluation and 
Improvement of and Reporting on Internal Control Systems in the 
Federal Government detailed a seven-step internal control assessment 
process targeted to an agency’s mission and organizational structure. The 
Comptroller General issued Standards for Internal Control in the Federal 
Government in 1983.’ These standards apply equally to financial and 


^Pub, L No. 97-256, 96 Stat- 814 (Sept. 8, 1982). FMFIA was repealed as part of the general 
revisions to title 31, U.S. Code. The key provisions of FMFIA were codified at 31 U.S.C. & 
3512 (c), (d). 

’‘FMFIA used the term “internal accounting and administrative controls.” 0MB initially used 
the term “manj^ement control.” In revising Circular A-123 In 2004, 0MB replaced the term 
management control with internal control, to better align with the Comptroller General's 
internal control standards. Management control arvd internal control are synonymous. 

‘^The Comptroller General revised the standards in 1999, based on developments in internal 
control theory, the effects of information technology, and the passage of a series of 
landmark refonns. GAO, Standards for Internal Control, in th e Federal Govemmenl., 
(iA(.)/A!MI>-00-21.3.1 (Washington, D.C.: November 1999). 


Page 3 


GAO-OS-321T 




46 


nonfinanciai controls.® In August 1984, 0MB issued a question and answer 
supplement to its assessment guidelines, intended to clarify the 
applicability of the Comptroller General's internal control standards and to 
assist agencies in assessing risk and correcting weaknesses. 

The 1990s biou^t additional legislation that reinforced the significance of 
effective internal control. The Chief Financial Officers (CFO) Act,** which 
among other things provided for m^or transformation of financial 
management, including the establishment of CFOs, called for financial 
management systems to comply with the Comptroller General’s internal 
control standards. Tlie Government Performance and Results Act of 1993*^° 
required agencies to clarify minions, set strategic and performance goals, 
and measure performance toward those goals. Internal control plays a 
significant role in helping managers achieve their goals. The Government 
Management Reform Act of 1994“ expanded the CFO Act by establishing 
requirements for the preparation and audit of agencywide financial 
statements and consolidated financial statements for the federal 
government as a whole. The 1996 Federal Financial Management 
Improvement Act‘^ identified internal control as an integral part of 
improving financial management systems. These are just a few of the 
legislative initiatives over the years aimed at improving government 
effectiveness and accountability. The Congress has been consistent over 
the years in demanding that agencies have effective internal control and 
accounting systems. 


Early Experiences and 
Lessons Learned from 
Agency FMFIA 
Implementation 


From the outset, ^encies faced major challenges in implementing FMFIA. 
The first annual assessment reports were due by December 31, 1983. This 
time frame gave agencies a little over a year to develop and implement an 
agencywide internal conriol assessment and reporting process to provide 
the information needed to support the first agency head assurance 


"The five standards for internal control are (1) control environnvent, (2) risk assessment, 
(:Q control activities, (4) information and communications, and (6) monitoring. 

®Pub. L No. 101-576. 104 Stat. 2838 (Nov. 15, 1990). 

"Pub. L. No. 103-62, 107 Stat. 285 (Aug. 3, 1993). 

“Pub. L No. 103-356, 108 Stat 3410 (OcL 13, 1994). 

"Pub. L. No. 104-208, div. A §l01(f). tiUe VIIl. 110 Stat. 3009, 3009-389 (Sept, 30, 1996). 


Page 4 


GAO-05-321T 




47 


Statement to the President m\d the Congress. 0MB assembled an 
interagency task force c^ed the Financial Integrity Task Force and visited 
all federal departments and the 10 largest agencies to foster 
implementation of its internal control assessment guidelines. Starting in 
1983, GAO monitored and reported on FMFIA implementation efforte 
across the government in a series of four reports from 1984 through 1989 as 
well as in numerous reports targeting specific agencies and programs. 

In our first governmentwide report, issued in 1984, we noted that although 
early efforts were primarily learning experiences, agencies had 
demonstrated a commitment to implementing FMFIA with a good start at 
asse^ing their internal control and accounting systems. We found 
agencies had established systematic processes to assess, improve, and 
report on their internal control and accounting systems, and we observed 
that federal managers had become more aware of the need for good 
internal control and improved accounting systems. 0MB played an active 
role, providing guidance and central direction to the program. Though the 
nature and extent of participation varied, most inspectors general also 
played a mcyor role in the first year. Our 1984 report outlined key steps to 
improve implementation, including adequate training and guidance, the 
importance of a positive attitude and a mind-set to hold managers 
accountable for results, and the need for more intemal control testing. 

Our second govemmentwide report in 1985‘^ noted that FMFIA had 
provided a significant impetus to the government’s attempts to improve 
internal control and accounting systems by focusing attention on the 
problems. Agencies continued to identify material intemal control and 
accounting system weaknesses with a number of m^or improvement 
initiatives under way. We identified needed improvements to FMFIA 
implementation similar to those in our 1984 report, but also identified the 
need to reduce the paperwork associated with agency assessment efforts. 
In particular, vulnerability assessments aimed at identifying the areas of 
highest risk in order to prioritoe more detailed internal control reviews 
were widely criticized by agencies as paperwork exercises. It was widely 
thought that while agencies had devoted considerable resources assessing 
the vulnerability of thousands of operations and functions, these efforts did 


'^GAO, Implemenlalion qf the Federtd Managers' h'inancial Integrity Act: First Year, 
GA0/(X;G-84-3 (Washington, D.C.: Aug. 24, 1984). 

‘*GAO, Financial Integrity AcL The Govemme>\t Faces Serious Internal Control ami 
AccoUTUing Systems Problems, GAO/AFMD-86-14 (Washington, D.C.; Dec. 23, 1985). 


Page 5 


GAO-05-321T 



48 


not provide management with a whole lot of reliable and useful 
information. 

Our third govemmentwide report was issued in 1987.^^ We noted that an 
important step in strengthening internal control is verifying that planned 
corrective actions have been implemented as envisioned and that the 
completed corrective actions have been effective. We found instances 
where (1) corrective measures taken had not completely corrected the 
identified weaknesses and (2) actions to resolve weaknesses had been 
delayed, in some cases for years. 

Our fourth govemmentwide report,*® issued in 1989 for which the title, 
Ine^ective Internal Controls Result in Ineffective Federal Programs and 
Billion in Losses, is still appropriate in today’s environment, concluded 
that while internal control was improving, the efforts were clearly not 
producing the results intended. We noted continuing widespread internal 
control and accounting system problems and the need for greater top-level 
leadership. We reported that what started off as a well-intended program 
to foster the continual assessment and improvement of internal control 
unfortunately had become mired in extensive process and paperwork. 
Significant attention was focused on creating a paper trail to prove that 
agencies had adhered to the 0MB assessment process and on crafting 
voluminous annual reports that could exceed several hundred pages. It 
seemed that the assessment and reporting processes had, at least to some, 
become the endgame. 

At the same time, there were some important accomplishments coming 
from FMFIA. Thousands of problems were identified and fixed along the 
way, especially at the lower levels where internal control assessments were 
performed and managers could take focused actions to fix relatively simple 
problems. Unfortunately, many of the more serious and complex internal 
control and accounting system weaknesses remained largely unchanged 
and agencies were drowning in paper. 


'•'■GAO, Financial Integrity Act: Continuing Efforts Needed to Imptxnje Internal Control 
and Accounting Systems, GAtVAFMD-88-lO (Washington, D.C.: Dec. 30, 1987). 

•^GAO, Financial Integrity Act: Inadequate ControUi Result in Ineffective Federal 
PrograTns and Billions in Jxtsses, G.AO/AFMD-QO-IO (Washington, D.C,; Nov. 28, 1989). 


GAO-05-321T 





49 


In March 1989, GAO, along with representatives of seven agencies, OMB, 
and the Prudent’s Council on Integrity and Efficiency (PCIE),^^ reviewed 
aspects of FMFIA implementation as part of a subcommittee of the Internal 
Control Intei^ency Coordination Council. The subcommittee’s report 
highlighted the following seven issues as requiring action: 

• Link the internal control assessment and reporting process with the 
budget to assist the Congress and OMB in analyzing the impact of 
corrective actions on agency resources. 

• Emphasize the early warning capabilities of the internal control process 
to ensure timely actions to correct weaknesses identified. 

• Consolidate the review processes of various OMB circulars to eliminate 
overlapping assessment requirements, improve staff utilization, and 
reduce the paper being generated. 

• Provide for and promote senior management involvement in the internal 
control process to ensure more effective and lasting oversight and 
accountability for FMFIA activities. 

• Highlight the most critical internal control weaknesses in the FMFIA 
assurance statements to increase the usefulness of the report to the 
President and the Congress. 

• Report on agency processes to validate actions taken to correct material 
weaknesses, ascertain that desired results were achieved, and reduce 
the likelihood of repeated occurrences of the same weaknesses. 

• Improve management awareness and understanding of FMFIA to 
provide for more consistent program manager interpretation and 
acceptance of the act. 

Too nmch process and paper continued to be a problem, and in 1995 OMB 
made a m^or revision to Circular A-123 that relaxed the assessment and 
reporting requirements. The 1995 revision integrated mmiy policy 
issuances on internal control into a single document and provided a 
fran^ework for integrating internal control assessments with other reviews 


‘ Ft'lE was established to address integity, economy, and effectiveness issues that 
transcend individual government agencies. 


GAO-06-321T 



50 


being performwi by s^ency managers, auditors, mid evaluators. In 
addition, it gave agencies the discretion to determine which tools to use in 
arriving at the annual assurance statement to the President and the 
Congress, witti the stated mm of achieving a streamlined management 
control program that incorporated the then administration’s reinvention 
principles. 


Revised 0MB Circular 
A-123 Marks an 
Important Step toward 
Achieving FMFIA 
Objectives 


And this brings us to the present. 'Fhe recent December 2004 update to 
Circular A-123 reflects policy recommendations developed by a joint 
committee of representatives from the CFO Council (CFOC)** and PCIE. 
The changes are intended to strengthen the requirements for conducting 
management’s assessment of internal control over financial reporting. The 
December 2004 revision to the Circulm- also emphasizes the need for 
agencies to integrate and coordinate internal control assessments with 
other internal control-related activities. 


We support OMB’s efforts to revitalize FMFIA through the December 2004 
revisions to Circular A'123. These revisions recognize that effective 
internal control is critical to improving feder^ agencies’ effectiveness and 
accountability and to achieving the goals that the Congress established in 
1950 and reaffirmed in 1982. The Circular correctly recognizes that instead 
of considering internal control an isolated management tool, agencies 
should integrate their efforts to meet the requirements of FMFIA with other 
efforts to improve effectiveness and accountability. Internal control should 
be an integral part of the entire cycle of planning, budgeting, management, 
accounting, and auditing. It should support the effectiveness and the 
integrity of every step of the process and provide continual feedback to 
management 

In particular, we support the principles-based approach in the revised 
Circular for establishing and reporting on internal control that should 
increase account^ility. This type of approach provides a floor for 
expected behavior, rather than a ceiling, and by its nature, greater 
judgment on the part of those applying these principles will be necessary. 


“CFOC is ^ org«uzation of the CFX!)s and deputy CFOs of the largest federal agencies, and 
senior officials of OMB and the Department of the Treasury who work collaboratively to 
improve financial management in the U.S. government. 

‘®Both PCIE and CFOC are chaired by OMB’s Deputy Director for Management. 


Pages 


GAO-05-321T 




51 


Accordingly, clear articulation of objectives, the criteria for measuring 
whether the objective have been successfully achieved, and the rigor with 
which these criteria are applied will be critical. Providing agencies with 
supplemental guidance and implementation tools is particularly important, 
in light of the varying levels of internal control maturity that exist across 
government as well as (be expected divergence in implementation that is 
typically found when a range of entities with varying capabilities apply a 
principles-based approach. 

I would now like to highlight what I think will be the six issues critical to 
effectively implementing the changes to Circular A-123 based on the 
lemons learned over the past 20 years under FMFIA. 

First, 0MB indicated that it plans to work with the CFOC and PCIE to 
provide further implementation guidance. For the reasons I just 
highlighted, we support the development of supplemental guidance and 
implementation tools, which will be particularly important to help ensure 
that agency efforts are properly focused and meaningful These materials 
should demand an appropriate rigor to whatever assessment and reporting 
process management adopts as well as set the bar at a level to ensure that 
the objectives of FMFIA are being met in substance, with a caution to guard 
against excessive focus on process and paperwork. Supplemental 
guidance and implementation tools should be aimed at helping agency 
management achieve the bottom-line goal of getting results from effective 
internal control. 

Second, while the revised Circular A-i23 emphasizes internal control over 
financial reporting, it will be important that proper attention also be paid to 
the other two internal control objectives covered by FMFIA and discussed 
in the Circular, which are (1) achieving effective and efficient operations 
and (2) complying with laws and regulations. Also, as I mentioned earlier, 
safeguarding assets is a subset of all three objectives. 

Third, managers throughout an agency and at all levels will need to provide 
strong support for internal control. As I discussed earlier, the 
responsibility for internal control does not reside solely with the CFO. A 
case in point is internal control over improper payments, which is the 
responsibility of a range of ^ency officials outside of the CFO operation. 
Also, with respect to financial reporting, which the revised 0MB Circular A- 
123 specifically refers to as a priority area, the CFO generally does not 
control ail of the needed information and often depends on other business 
systems for much of the financial data For example, at the Department of 


Page 9 


GAO-06-321T 



52 


Defense (DOD), about 80 percent of the information needed to prepare 
annual financial statements comes from other business systems, such as 
logistics, procurement, and personnel information systems, that are not 
under the CFO. 

Fourth, agencies must strike an appropriate balance between costs and 
benefits, while at the same time achieving an appropriate level of internal 
control. Internal controls need to be designed and implemented only after 
properly identifying and analyzing the risks associated with achieving 
control objectives. Agencies need to have the right controls, in the right 
place, at the right time, with an appropriate balance between related costs 
and benefits. In this regard, the revisions to Circular A-123 outline the 
concept of risk assessment for internal control over financial reporting by 
laying out an assessment approach at the process, transaction, and 
application levels. A similar approach needs to be applied as well to the 
other business areas and the range of programs and operations as 
envisioned in FMFIA. 

Fifth, management testing of controls in operation to determine their 
soundness and whether they are being adhered to and to assist in the 
formulation of corrective actions where problems arise will be essential. 
This is another area covered by the revised Circular A*123. Testing can 
show whether internal controls are in place and operating effectively to 
mirumize the risk of fraud, waste, abuse, and mismanagement and whether 
accounting systems are producing accurate, timely, and useful information, 
Through adequate testing, agency managers should know what is working 
well and what is not. Management will then be able to focus on corrective 
actions as needed and on streamlining controls if testing shows that 
existing controls are not cost-effective. 

Sixth, personal accountability for results will be essential, starting with top 
agency manj^ement and cascading down through the organization. 

ReguUtf oversight hearings, such as this one, will be critical to keeping 
agencies accountable and expre^ing the continual interest and 
expectations of the Congress. Independent verification and validation 
through the audit process, which I will talk about next,, is another means of 
providing additional accountability. There should be clear rewards 
(incentives) for doing the right things and consequences (disincentives) for 
doing the wrong things. If a serious problem occurs because of a 
breakdown in internal control and it is found that management did not do 
its part to establish a proper internal control environment, or did not act 
expeditiously to fix a known problem, those responsible need to be held 


Page 10 


GAO-05-321T 




53 


accounteble and face Hie consequences of inaction. The revised Circular 
A-123 encourages the involvement of senior management councils in 
internal control assessment and monitoring, which can be an excellent 
means of est^lishing accountability and ownership for the program. 


The Auditor’s Role in 
Evaluating 

Management’s Internal 
Control Efforts 


In inidating Uie revisions to Circular A-123, 0MB cited the new internal 
control requirements for publicly traded companies that are contained in 
the Sarbanes43xley Act of 2002.^ Sarbanes-Oxley was bom out of the 
corporate accountability failures of the past several years. Sarbanes-Oxley 
is similar in concept to the long-standing requirements for federal agencies 
in FMFIA and Circular A-123. Under Sarbanes-Oxley, management of a 
publicly-traded company is required to (1) annually assess the internal 
control over financial reporting at the company and (2) issue an annual 
statement on die effectiveness of internal control over financial reporting.^' 
The company’s auditors are then required to attest to and report on 
management’s assessment as to the effectiveness of i£s internal control. 
This is where Sarbanes-Oxley differs from FMFIA. FMFIA does not call for 
an auditor opinion on management’s assessment of internal control over 
financial reporting nor does it call for an auditor opinion on the 
effectiveness of internal control. Likewise, Circular A-123 does not adopt 
these requirements, although the Circular does recognize that some 
agencies arc voluntarily getting an audit opinion on internal control over 
financial reporting. 


Our position is that an auditor’s opinion on internal control over financial 
reporting is similarly important in the government environment. We view 
auditor opinions on internal control over financial reporting as an 
important component of monitoring the effectiveness of an entity’s risk 
management and accountability systems. In practicing what we preach, we 
not only issue an opinion on internal control over financial reporting at the 
federal entities where we perform the financial statement audit, including 


“Pub. L. No. 107-204, 1 16 Stal. 745 (July 30, 2002). 

^‘See Management's Reports on Internal Control Over Financial Reporting and Certification 
of Disclosure in Exchange Act Periodic Reports, 68 Fed. Reg. 36635 (June 18, 2003) (codified 
at scattered sections of title 17, Code ofF^eral Regulations). 

“Currently, we perform financial statement audits at the Federal Deposit Insurance 
Corporation, the Internal Revenue Service, the Bureau of the Public Debt, and the Securities 
and Exch^ge Commission. 


GAO-06-321T 




54 


the conwjlidated finmiciai statements of the U.S. government, but we also 
obtain an auditor’s opinion on internal control on our own annual financial 
statements. On their own initiative, the Social Security Administration 
(SSA) and Nuclear Regulatory Commission also received opinions on 
internal control over fin^ciai reporting for fiscgj year 2004 from their 
respective independent auditors. 

In considering when to require an auditor opinion on internal control, the 
foDowing four questions can be used to frame the issue. 

1. Is this a major federal entity, such as the 24 departments and agencies 
covered by the CFO Act? There would be different consideration for 
small simple entities versus large complex entities. 

2. What is the maturity level of internal control over financial reporting? 

3. Is the agency currently in a position to attest to the effectiveness of 
internal control over financial reporting and subject that conclusion to 
independent audit? 

4. What are the benefits and costs of obtaining an opinion? 

What underlies these questions is whether management has done its job of 
assessing its internal control and has a firm basis for its assertion statement 
before the auditor is tasked with performing work to support an opinion on 
internal control over financial reporting. As I have stressed throughout my 
testimony today, internal control is a fundamental responsibility of 
management, including ongoing oversight. The auditor’s role, similar to its 
opinion on the financial statements issued by management, would be to 
state whether the auditor agrees ^ with management’s assertion that its 
internal control is adequate so that the reader has an independent view. 

As an example, consider DOD which has many known material internal 
control weaknesses. Of the 25 areas on GAO’s high-risk list, 14 relate to 
DOD, including DOD financial management. Given that DOD management 
is cleariy not in a position to state that the department has effective internal 
control over financial reporting, there would be no need for the auditor to 


file auditor follows the joint GAQI'CIE Financial Audit Manual (PAM), as is expected 
for federal financial statement audits, the work performed should be adequate to render an 
opinion on internal control. 


GAO-05-321T 




55 


do additional audit work to render an opinion that intemai control was not 
effective. On the other hand, as I just mentioned for fiscal year 2004, SSA 
management reported that it does not have any material intemai control 
weaknesses over financial reporting. The auditor’s unqualified opinion 
over financial reporting at SSA provided an independent assessment of 
management’s assertion about intemai control, which we believe by its 
nature adds value m>d creditability similar to the auditor’s opinion on the 
financial statements. 

As you know, Mr. Chairman, recent legislation^^ making the Department of 
Homeland Security (DHS) subject to the provisions of the CFO Act, which 
this Subcommittee spearheaded, requires DHS management to provide an 
assertion on the effectiveness of intemai control over financial reporting 
for fiscal year 2005 and to obtain an auditor’s opinion on its intemai control 
over financial reporting for fiscal year 2006. In addition, the CFO CouncU 
and PCIE are required by the DHS legislation to jointly study the potential 
costs and benefits of requiring CFO Act agencies to obtain audit opinions 
on their intemai control over financial reporting, and GAO is to perform an 
analysis of the information provided in the report and provide any findings 
to the House Committee on Government Reform and the Senate Committee 
on Homeland Security and Governmental Affairs.^ We believe that the 
study and related analysis are important steps in resolving the issues 
associated with the current reporting on the adequacy of intemai control. 
In addition, this issue is being discussed by the Principals of the Joint 
Financial M^agement Improvement Program — the ComptroUer General, 
the Director of 0MB, the Secretmy of the Treasury, and the Director of the 
Office of Personnel Management. 


In closing, as the Congress and the American public have increased 
demands for accountability, the federal government must respond by 
having a high standard of accountability for its programs and activities. 
Areas vulnerable to fraud, waste, abuse, and mismanagement must be 
continually evaluated to ensure that scarce resources reach their intended 
beneficiaries; are used properly; and are not diverted for inappropriate, 
illegal, inefficient, or ineffective purposes. 


^'Pub. L. No. l(»^, 118 Stat. 1275 (Oct 16, 2004). 

“Since passing tbe legislation, the Senate Committee on Governmental Affairs changed its 
name to the Sensue Committee on Homeland Security and Governmental Affairs. 


Page 13 


GAO-05-321T 




56 


I want to emphasize our commitment to continuing our work with the 
Congress, the administration, the federal agencies, and the audit 
community to continually improve the quality of internal control 
govemmentwide, and to help ensure that action is taken to address the 
internal control vulnerabilities that exist today. To that end, as I said 
earlier, tlie leadership of this Subcommittee will continue to be an 
important catalyst for change, mtd I ag^ thank you for the opportunity to 
participate in this hearing. 

Mr. Chairman, this completes my prepared statement. I would be happy to 
respond to any questions you or other Members of the Subcommittee may 
have at this time. 


Contacts and 
Acknowledgments 


For infonnation sJbout this statement, please contact Jeffrey C. Steinhoff at 
(202) 512-2600 or McCoy Williams, Director, Financial Management and 
Assurance, at (202) 512-6906 or at williamsml@gao.gov. Individuals who 
made key contributions to this testimony include Mary Arnold Mohiyuddin, 
Abe Dymond, and Paul Caban. Numerous other individuals made 
contributions to the GAO reports cited in this testimony. 


Page 14 


GAO-05-321T 




57 


Ap pendix I 

Federal Managers’ Financial Integrity Act of 
1982 


Fed«rml Mansgen* Finaacial Integrity Act of 1982 
Public Law 97—255 
(96 Stat. 8U) 

AN ACT To anMid tho Accouatiag and Auditie^ Act of 1950 to requira ongebig 
•vaKiatiaaa aad rapoita oa tha adoquary of the ayatema of intoraai aeceuntiag ana 
admlniatntlva eontiol of ead) oxaculiae agaiwy, and for other purpaoea 
B* k tnaettd the Stnatt and Houee of Representatives of the 
linked States America in Congnss assembled, 

Section 1. Ibu Act may be citmi at the "Pederal Managers’ Fi- 
nanda) Int^ri^ Act of 1^2*. (31 U.S.C. 6S note). 

Sec. 2. Section 113 of the Accounting and Auditing Act of 1950 
(31 U.S.C. 66a) ie amended by adding at the end thereof the follow* 
ing new aubseetion; 

^dXlXA) To ensure compliance with the requirements of sub- 
section (aK3) of thie section, internal accounting and administrative 
controls of each executive agencv shall be established in accordance 
with standards prescribed [9 tne Comptroller General, and shall 
provide reasonaMe assurances that — 

"(i) obligations and costs are in compliance with applicable 
law; 

‘’(ii) Aindt, pnperiy, and other assets are safeguarded 
against waste, loss, unauthorized use, or misappropriation; and 
‘Xiii) revenues and expenditures applicable to agency oper- 
ations are {wuperiy recorded and accounted for to permit the 
preparation of aecoxints and reliable financial and statistical 
reports and to maintain accountabili^ over the assets. 

"(B) The standards prescribed the Comptroller Gen- 
eral under this paragraph shall include standards to m- 
sure the prompt resolution of all audit findings. 

‘X2> ^ December 31, 1982, the Director of the Office 
of Mananment and Budst, in consultation with the 
Comptroller General, shall establish guidelines for the 
evaluation bv anncies of their systems of internal ac- 
counting ana administrative control to determine such 
systems' compliance with the requirements of para- 
graph (1) of tnis subsection. The Director, in consulta- 
tion with the Comptroller General, may modify such 
guidelines from time to time as deemed necessary. 

"(3) By December 31, 1983, and by December 31 of 
each succeeding year, the head of each executive agen- 
^ sh^l, on the basis of an evaluation conducted in ac- 
cordance with guidelines prescribed under paragraph 
(2) of this subsection, prepare a statement — 

m 


GAO-06-321T 




58 


Appendix I 

Federal Managers’ Finaa^l Integrity Act of 
1982 


SO FtOBUU. MMUrn' FWAMCift HiTECRtTT *CT 8F 19« Ue. 4 


tA) that die agency’s systems of internal accounting and 
administrative control Ailly comply with the requirements 
of paraCTaph (1); or 

“(B) that tudi systems do not fiilly comply wiUi such re- 
quirements. 

*X4) In the event titat the head of an agen» pre- 
pares a statement described in part^aph (3XB), the 
head of such agency shall include wiUr such statement 
a report in which any material weaknesses in the 
ag^n^i systems of internal accounting and adminis- 
traUve control are identified and the plans and sched- 
ule for correcting any such weakness are described. 

^5) Ihe statements and reports required this 
subsection shall be signed by the head of each execu- 
tive agency and transmitted to the President and the 
Congress. Such statemenU and reports shall also be 
made available to the public, except that, in the case 
of any such statement or report containing informa- 
tion which is — 

"(A) specifically prohibited from disclosure any provi- 
sicm of law; or 

’’(B) spMiBcally required by Executive order to be kept 
secret in the interest of national defense or the conduct of 
foreign affairs, such information shall be deleted prior to 
the report or statement being made available to the pub- 
lic.". 

Sec. 3. Section 201 of the Budget and Accounting Act, 1921 (31 
U.S.C. 11), is amended by adding at the end there^ the following 
new subseAion; 

'XkXD 'Hte President shall include in the supporting detail 
accompanying each Budget submitted on or a^r January 1, 
1983, a separate statement, with respect to each department 
and establishment, of the amounts of appropriations requested 
by the President for the Office of InspMtor Genera), if any, of 
eadi such esUfolishment or department. 

"(2) At tfre request of 8 committee of the Congress, additional 
information concerning the amount of appropriations originally 
requested by any offfce of Inspector Genera), shall be submit- 
too to such committee.*. 

4. Section 113(b) of the Accounting and Auditing Act of 1950 
(31 U.S.C. 66aff>)), is amended by adding at the end thereof the fol- 
lowifw new sentence: "Each annual statement prepared pursuant 
to subsection (d) 4^ this section shall include a separate report on 
whether the a^ncy’s accounting syster' conforms to the principles, 
standards, and related requirements prescribed by the Comptroller 
(]ieneral under sectim 112 of this Act.'*. (31 U.S.C. G6a). 

Approved September 8, 1982. 


'Hni Act bM IN* bcctt unanM H orDcramber 31, 1895. 


{195064) 


Page 16 


GAO-05-321T 





59 


Q^Q’g Mission Government Accountability Office, the audit, evaluation and 

investigative arm of Congress, exists to support Congress in meeting its 
constitutional responsibilities to help improve the performance and 
accountability of the feder^ government for the American people. GAO 
examines the use of public fimds; evaluates federal programs and policies; 
and provides an^yses, recommendations, and other assistance to help 
Congress maJke informed oversight, policy, and funding decisions. GAO's 
commitment to good government is reflected in its core values of 
accountability, integrity, and reliability. 


Obtaining Copies of 
GAO Reports and 
Testimony 

The fast^t and easiest way to obtain copies of GAO documents at no cost 
is through GAO’s Web site (www.gao.gov). Each weekday, GAO posts 
newly released reports, testimony, and correspondence on its Web site. To 
have GAO e-mail you a list of newly posted products every afternoon, go to 
www.g^.gov and select “Subscribe to Updates." 

Order by Mail or Phone 

The first copy of each printed report is free. Additional copies are $2 each. 

A check or money order should be made out to the Superintendent of 
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. Orders 
should be sent to: 


U.S. Government Accountability Office 

441 G Street NW, Room LM 

Washin^on, D.C. 20548 


To order by Phone; Voice: (202) 512-6000 

TDD: (202) 512-2537 

Fax: (202)512-6061 

To Report Fraud, 
Waste, and Abuse in 
Federal Programs 

■ 

Contact: 

Web site: www.gao.gov/fraudnet/fraudnet, htm 

E-mail: fraudnet@gao.gov 

Automated answering system: (800) 424-5454 or (202) 512-7470 

Congressional 

Relations 

Ul 

Gloria Jarmon, Managing Director, JminonG^gao.gov (202) 512-4400 

U.S. Government Accountability Office, 441 G Street NW, Room 7125 
Washington, D.C. 20548 

Public Affairs 

■ ^ ^ ' 
Paul Anderson, Managing Director, AndersonPl@gao.gov (202) 5124800 
U.S. Government Accountability Office, 441 G Street NW, Room 7149 
Washington, D.C. 20548 


PRfNTED ON 


RECYCLED PAPER 



60 


Mr. Platts. Thank you, Mr. Steinhoff. 

Before we continue, I would like to recognize that we have been 
joined by the gentlelady from New York, Mrs. Maloney. Thank you. 

We will go right into questions, and we will do 5 minutes or so 
for each Member and have various rounds. Mr. Steinhoff, I want 
to first comment on your work and sitting here with two CFOs, and 
as one who played an integral role in the CFO Act back in 1990, 
and now partnering with our CFOs and our IGs in this collabo- 
rative effort, what important work it is. Your comment about the 
A-123 Circular revision revitalizing FMFIA is, a very important 
note. And that’s really what this subcommittee, through our work 
on the DHS bill last session and now continuing with our oversight 
responsibilities on the Circular, is seeking to do. 

Mr. Steinhoff. Mr. Chairman, I would like to add another point 
to that. When you mentioned the CFO Act, at the time of FMFIA, 
agencies really weren’t in the same position as they are today. You 
didn’t have, for the most part, what I would call professional CFOs. 
And you have a much different set of dynamics today. You have 
that act and that structure in place to carry a lot of this out. 

Mr. Platts. That evolution, 50 years ago, when as you ref- 
erenced the legislation back in 1950 and now through to this day, 
combined with everything in between, has put, I believe, the Fed- 
eral Government in a great position to really work hard at truly 
getting its financial house in order. And that’s what each of you is 
seeking to do in your individual agencies or in a collaborative effort 
as members of the PCIE or CFO Council and with GAO. So we’re 
delighted to have your efforts out there and have you here today. 

What I thought, maybe for each of our CFOs and IGs, if all or 
one of you would want to give, just in laymen’s terms, an example 
of an internal control in your department, just to kind of set the 
stage for what we are talking about, the kinds of things that 
should be occurring to protect taxpayer funds in each of your de- 
partments. 

Mr. Wolff. I’d be happy to try and answer that, Mr. Chairman. 
I think internal controls come at all levels, at the macro level and 
a micro level. Where we start in our department is leadership at 
the top. We have a new Secretary of our Department, Carlos 
Guittierez, who was previously the head of Kellogg Corp. He 
turned that corporation around, and he has been here a week. He 
had his first meeting with the senior staff early this weekend. One 
of the first things he emphasized was accountability, by his man- 
agers sitting around the table, by his senior staff and throughout 
the organization. 

It starts at the top. It’s our responsibility to inculcate the culture 
from the top all the way down to the bottom. Concurrent with that, 
I meet with the CFOs in all our bureaus on a monthly basis. So 
those are the macro kinds of controls. The other kinds of things, 
the reviews you do of travel reports and those kinds of things. 
Those would be examples of micro level of internal controls. 

Mr. Platts. OK. Mr. Burnham. 

Mr. Burnham. Thank you, Mr. Chairman. 

Like the Department of Commerce, we have a new Secretary as 
well. I think it is indicative of her, of the emphasis she places on 
management, that her first briefing while she was going through 



61 


the confirmation process was from the management bureaus of the 
State Department and the Under Secretary for Management. So 
clearly, we have top down support and focus on this effort. We have 
a best practice that is held up by 0MB as a best practice. It’s also 
at the macro level. And of course, we know that it flows downhill, 
so it has to start there. 

We have a management control steering committee. This is the 
most important thing that agencies can implement. This is chaired 
by me as the Assistant Secretary and Chief Financial Officer. It 
also consists of nine other assistant secretaries and the IG as a 
non-voting member. This is the group that comes together on a reg- 
ular basis to determine whether or not we have material weak- 
nesses, reportable conditions. We receive a report from the auditor. 

Government is a hybrid. We have no board of directors. You are 
our board of directors. But yet, unlike a board of directors, we don’t 
have an audit committee. We do have an IG, but we do not have 
yet an internal audit capability, but we certainly plan to as part 
of our process of seeking and attaining an outside audit of our in- 
ternal controls. 

But it starts there at that senior level committee that is going 
to provide the top down guidance, the macro guidance, that’s going 
to go all the way down. 

Let me just also mention too at the micro level. It’s supervisory 
oversight as well, and you mentioned one of these in your example. 
But it’s also peer review, peer review in terms of making sure that 
it doesn’t always have to be a supervisor, it can also be a colleagues 
in a voucher examiner capacity also doing a peer review on some- 
one else. These are the kinds of things we have to do at the State 
Department. 

Mr. Platts. Thank you. 

Before I yield to the ranking member, we are going to get into 
the A-123 Circular. One aspect of that implementation is with the 
CFO Council developing a training program or guidance for the ef- 
fective implementation. Could you give us an update where that 
process is and what kind of timeframe we’re looking at to have that 
information, that assistance out there, so that all the departments 
and agencies can go forward in a positive way with the new Cir- 
cular? 

Mr. Burnham. We are fleshing that out right now, Mr. Chair- 
man. We anticipate that we will be able to, that 0MB will be able 
to issue guidance on that some time in the spring, that’s as close 
as I can get it right now, sir. 

And we have established a separate subcommittee of the CFO 
Council that is dealing exclusively with this issue, the Sarbanes- 
Oxley, with A-123 issues. 

Mr. Platts. When you flesh that out and you have some of your 
training programs for your managers, will that training be cross- 
agency, cross-department, to allow that give and take as the CFO 
Council does at the senior level, or will it be more within each de- 
partment or agency? 

Mr. Burnham. No, as a matter of fact, I also chair the Best Prac- 
tices of the CFO Council. Just yesterday we had our monthly meet- 
ing, in fact, this was brought up. We plan to have a couple of dif- 
ferent ways, not only in terms of written guidance, in terms of 



62 


training sessions across agency, inter-agency, not just for CFOs, 
but also for our colleagues within the community. 

We also are looking at building a panel so that during our regu- 
lar monthly meeting we would bring a panel of outside experts that 
would come in and tell us how they have implemented this in the 
corporate world. We are also seeking a panel, sir, of public policy 
experts, those of you who visit this on a daily basis. You, perhaps 
Congressman Oxley and others, sir, we would love to have come be- 
fore the Council and give us your impression. 

Finally, we are looking to do a retreat. We get bombarded with 
e-mails for all kinds of retreats. I’m sure you do as well. We can 
go to Harvard, we can go to all these kinds of places for 3, 4, 5 
days, they cost thousands of dollars. We’re looking actually to build 
possibly in conjunction with the Association of Government Ac- 
countants a retreat where from the assistant secretary level and 
below we can send numerous people, come there and really have 
an intense two, three in-depth training session on this. 

Mr. Platts. I commend your efforts in chairing the Best Prac- 
tices subcommittee in that learning, benefiting from each other. 
That’s great. 

Mr. Towns. 

Mr. Towns. Thank you very much, Mr. Chairman. 

Mr. Steinhoff, let me start with you. How can an agency like 
NASA, with the vast majority of the budget being allocated to pri- 
vate contractors and vendors, ever improve their internal control 
functions without streamlining their procurement activities? Have 
issues concerning the lack of control over property, plant and 
equipment been addressed by the agency? 

Mr. Steinhoff. Congressman Towns, those are areas on GAO’s 
high risk list. NASA procurement and that whole array you were 
just speaking about are high risk areas. NASA faces contract man- 
agement challenges. They face challenges in the financial manage- 
ment as well. NASA has had problems bringing up financial sys- 
tems that operate effectively and is trying to grapple with those 
now. 

You are really putting your finger on some high risk areas, that 
really affect the ability of NASA to carry out its mission, because 
NASA is dependent on the contract community. And when con- 
tracting, procurement, and all that oversight is a high risk area, 
it makes it difficult. My understanding is that at one time NASA 
built the platforms and all that itself. It had most of the scientific 
community. Today, as you stated, they are largely dependent on 
contractors. So getting on top of contract management is very, very 
important. 

Mr. Towns. Thank you. 

I am not going to be able to stay throughout, so let me ask this 
question just in case the chairman doesn’t ask it, let me ask it. 
Since the enactment of Chairman Platts’ legislation that requires 
an independent opinion of DHS’ internal controls, can you update 
us on any progress the agency may have made for developing and 
implementing improvements to their internal control structure? 
Have the efforts of DHS been hampered because of the distinct na- 
ture of its legacy agencies, or are they similar to internal control 
deficiencies at other Federal departments? 



63 


Mr. Steinhoff. I have some knowledge on this. DHS is another 
area on our high risk list. Certainly when you put a new depart- 
ment together, 1 day they don’t exist, the next day they do, and 
you throw together a bunch of groups, that makes it hard. Many 
of those units that were merged into DHS had internal control 
issues coming in. Some had serious control problems coming in. So 
you had to face having to be up and running from day one without 
a clear infrastructure at the department level. Again, our high risk 
designation focuses on that problem. 

With respect to what they are doing to really address the man- 
date that the chairman had placed in the DHS bill, I can’t speak 
to the progress they have made today, other than the fact that they 
had a conference, the Comptroller General spoke at it, and they 
made a presentation on their plans for implementing FMFIA and 
0MB Circular A-123. 

It seemed to me they had a good grasp for how to approach this. 
It seemed to me they were involving all the entities, all the activi- 
ties. They had various levels of steering committees that involved 
their various components, and involved people at sufficiently high 
levels that things should in fact be achieved. So they seemed ear- 
nest, they seemed to want to proceed ahead, they seemed to want 
to get on top of their problems. 

But they do face what anyone would say are high risk challenges. 
It would be again very challenging for them. 

Mr. Towns. Thank you very much. 

Secretary Burnham, it recently came to our attention that bil- 
lions of dollars allocated by Congress toward the international ef- 
forts in Iraq and elsewhere are unaccounted for. While I under- 
stand that your agency’s mission is distinct from that of DOD can 
you offer us any assurance that our appropriations in support of 
our international efforts within the State Department are being 
well managed and controlled? Are there any allocation discrep- 
ancies within your agency that we should be made aware of? 

Mr. Burnham. Mr. Towns, thank you for that question. Let me 
address just post-turnover, when Ambassador Negroponte arrived 
in Baghdad. Let me just say that most of the programs that we are 
implementing through foreign assistance programs and through 
the Iraqi Relief and Reconstruction Fund are being executed by ei- 
ther DOD, which I will not comment on, although I have complete 
faith in, and USAID. USAID has a legacy of exceptional controls 
that they place through their comptroller’s office, through inde- 
pendent audits, not just only in Iraq, but in every country where 
AID operates. They have very strong oversight programs. I have 
complete faith in what AID is doing, particularly under the leader- 
ship of Administrator Andrew Natsios. 

So, sir, if you would accept my assurance that I have full faith 
as an American taxpayer in what we’re doing there and what our 
State Department is doing there, and what AID is doing there, 
then if you’ll accept that, sir. I’ll leave it at that. 

Mr. Towns. Thank you very much. We’re going to have to go into 
recess, Jim had to leave to vote, and I must leave to go somewhere. 
We will just have a 5-minute recess. 

[Recess.] 



64 


Mr. Platts. We will reconvene the hearing. My apologies for the 
delay. Unfortunately, I may need to run out again. We have a 
markup in the Education Committee downstairs. I’m getting my 
exercise today. Hopefully the next vote will he a little while before 
they call it. 

I want to continue on a number of issues here. One important 
aspect of the A-123 Circular, is not requiring every department 
and agency to have an audit opinion on their internal controls, as 
we are doing with DHS. We are going to look at the cost benefit 
of doing that in a broader sense. As written, it gives 0MB that dis- 
cretion. I would like each of you, if you could touch on what type 
of threshold you envision for when 0MB should invoke that discre- 
tion and require an audit. Is it a dollar amount, is it a persistent 
number of years? What in your opinion would warrant an audit 
opinion on the internal controls? 

Mr. Wolff. I suppose I should let the Government Accountabil- 
ity Office go first on this one, sir, but I will take a stab at it. It 
seems to me you can’t put a dollar threshold on implementing this 
provision of A-123. I think it is more a subjective call on how an 
agency is doing. Are they properly identifying their internal con- 
trols? Are they carrying out the plans that they have set in place 
to correct those internal controls, and are they doing it in a timely 
way? 

I think that is the bottom line on the call at 0MB. You can’t just 
set a dollar threshold, because what might be material at the De- 
partment of Defense may not be in one of our sub-bureaus, for ex- 
ample. There is a great debate going on at each agency right now 
about this materiality issue. It is one that is fairly well 
parochialized because of the difference in programs across Govern- 
ment. 

That’s the short answer, I think, sir, to what you are asking. 

Mr. Burnham. Mr. Chairman, stewardship has no price. I think 
we all agree on that in the room. It doesn’t mean that we spend 
a nickel to account for a nickel. But it does mean that we have to 
eventually get to a point where we have required audits of our in- 
ternal controls. 

For the State Department, that means $4.5 million is our best 
guess at this point, 2 to 3 years. It has to do with testing. It has 
to do with documentation. And finally, it has to do with building 
what we call a senior review committee, otherwise known in the 
outside world as an internal audit capability. We want to be very 
respectful of our IG, but the reality is that we should all have an 
internal audit capability or internal senior review committee. 

When those three things are well on their way, when using the 
balance score card, 0MB can say that most agencies are at yellow, 
if not green for progress, yellow for status, then I think it’s time 
for 0MB or the Congress to act. I don’t think it’s 2 years, but I 
think certainly within the next 5, sir. 

Mr. Platts. Thank you. 

Mr. Higgins. I think that one of the things you have to take into 
consideration initially is the cost benefit of this opinion. Certainly 
it would be a concern from my perspective if you had repeat find- 
ings that continued year after year without being corrected. 



65 


But I do think the first thing you have to do is look at the cost 
benefit of this, how much it is going to cost you and what you are 
going to get out of it. 

Mr. Steinhoff. A couple of thoughts on this, since we have been 
pretty vocal for many years on this matter. Not only do we do it, 
but really in a strict technical sense, we’re not required to follow 
FMFIA. The law doesn’t really apply to GAO per se. But we follow 
that law. 

I agree with what Mr. Burnham said. I think the agency has to 
see where they are on this. I believe it can be done in a cost-effec- 
tive manner. It should be a by-product of doing a financial audit 
using the joint GAO/PCIE Financial Audit Manual, which I think 
has taken us to the level that we are doing first rate financial au- 
dits. I would put the Federal financial audits ahead of what was 
being done in the private sector in terms of quality. It gives the 
auditor the ability to render an opinion on controls. We do it right 
now by following the GAO/PCIE methodology. 

I think you have to look at the value in terms of that, it’s an 
independent set of eyes. When agencies were first required to pre- 
pare financial statements, there was a lot of the same thinking 
that it was not cost effective to audit the financial statements you 
know, let’s just send in the reports. So what an audit opinion pro- 
vides is a second, independent set of eyes. And it is providing an 
assurance. 

If you look at SSA, which I really think is the role model, they 
voluntarily prepared financial statements and had them audited in 
the mid-1980’s. They took their lumps long before there was any 
glimmer that this thing was ever going to become law. And they 
are now one of the first to be up front and get an opinion on con- 
trols. I believe this year was the first year they got a clean opinion 
on controls because they were able to get past the computer secu- 
rity hurdle, which is a difficult hurdle. That’s a tough hurdle, even 
if you get by it once. 

SSA should be most proud of the fact that on their own volition 
they have had that tone at the top and have pushed ahead, as Mr. 
Burnham explained was his goal at State, and have voluntarily 
done so. But I think it is really a cost of doing business in Govern- 
ment. I think we can do it in a cost-effective manner. I think it can 
add value. If management does have the kind of internal control 
program in place that is envisioned in A-123, it makes the audi- 
tor’s job a lot easier, because management has tested its controls. 
Management has a basis for its assurance, and management can 
say to you that yes, we do meet the standard and this is what we 
base that on. 

If you have an entity that has lots and lots of problems and they 
can’t provide that assurance, I could see the auditor’s job being 
very easy, they don’t have assurance. It shouldn’t cost the auditor 
anything. Take DOD, I could give that opinion in just the time it 
would take me to write it up. 

So I think moving through in an orderly manner, whether it’s 2, 
3, 4, 5 years, it would differ by agency, makes a lot of sense. 

Mr. Platts. Secretary Burnham, your statement was that you 
envision State being at that point in 2 to 3 years, right? 



66 


Mr. Burnham. Yes. I would anticipate regardless that we will 
have an internal audit of our internal controls within the next 2 
to 3 years. I think as I said, it will cost $4 million to $5 million 
to get there because of the three steps that we have to take. Then 
I think heyond that it’s fairly de minimis. It’s perhaps a 25 to 50 
percent increase in our overall independent outside audit, which 
right now stands just helow $1 million. 

Mr. Platts. Secretary Wolff. 

Mr. Wolff. May I just add, Mr. Chairman, the comments of my 
friends, notwithstanding, I don’t think we can underestimate the 
cost. I think we run the risk of underestimating the true costs of 
the audit part of this provision. There is no question in my mind 
that the exercise is beneficial. No one is arguing that. 

But when you do audits of the Social Security Administration’s 
internal controls, it is quite different, they are a single focus agen- 
cy. As important as they are, it’s a single focus. They pay folks 
checks. 

When you have an agency as diverse as ours, where you’ve got 
everything from counting all the people in the country every 10 
years with 500,000 employees to running weather satellites to con- 
trolling radio spectrum, the costs start going up considerably. That, 
coupled with the open source news reports in the Wall Street Jour- 
nal, the Financial Times and others in which the cost of the addi- 
tional burden in the private sector ranges anywhere upward to 100 
percent over current audit costs, we need to very closely look at 
that before we start mandating these things absent additional 
funding from the Congress. 

Mr. Platts. Secretary Wolff, is it fair to say, though, that given 
the complexity of Commerce or State or Education that because 
you are not single focused, really, as Social Security is, it’s all the 
more important that we ensure that your internal controls are up 
to the challenge before you? It would make the argument why you 
should be doing them because of the complexity of your mission. 

Mr. Wolff. Sir, we are already hard at work documenting our 
internal controls. I am not arguing with that. I think it is a very 
worthwhile exercise. 

As far as annual audit opinions, though, of the management’s as- 
sertions and internal controls, it’s quite a different story. I think 
we need to look at it very closely. This interagency review that’s 
being undertaken jointly with the PCIE and the CFO Council will 
hopefully lead us to a satisfactory conclusion. 

Mr. Platts. Actually, you led into my next question, which was, 
under my DHS legislation, the requirement for this joint study, 
cost benefit study, I was wondering, between CFOs and our Inspec- 
tor General where we are in that review, that study, at this point. 
Are we still kind of early on? 

Mr. Wolff. Yes, sir, pretty early on. 

Mr. Platts. OK. Great. 

Mr. Burnham. Mr. Chairman, can I just add one thing to my col- 
league, Secretary Wolff? He did bring up a very important point. 
From my own legislation days, I know how objectionable we found 
it when we had to vote on something which was an unfunded man- 
date. The importance, of course, of understanding that, finding $4.5 
million in the State Department budget, is going to be a difficult 



67 


task. So unless we do have support across the board, both from our 
own colleagues as well as from the Congress, it is going to be very 
tough to implement this. So we certainly would urge you, sir, to 
work with the appropriators in full support. 

Mr. Platts. That leads nicely into the next question I have, but 
I have to run downstairs and put a vote in. I apologize, but if you 
are patient, I will be right back and we will continue the dialog. 
We stand in recess for a few minutes. 

[Recess.] 

Mr. Platts. The subcommittee will reconvene. 

The Federal Managers Financial Integrity Act, having been in 
place for 23 years now, an aspect of that was to focus on the inter- 
nal controls. Is it that what we are requiring now is so much great- 
er that we have this infrastructure buildup, that we need to expend 
these dollars to get up to where we can do internal audits or is it 
that over those 20 years there wasn’t the level of focus and commit- 
ment on internal controls as Congress intended when FMFIA was 
passed that we’re now kind of all on the same page, finally, with 
the new Circular and really making the investment? 

Mr. Wolff. Sir, I think Mr. Steinhoff touched on that a little bit 
in his testimony. Back in the 1980’s, there was a great deal of at- 
tention, as you probably know, given to internal controls. It became 
as he said, a paper intensive process. The documentation of the 
process became an end unto itself 

So the internal control weaknesses remained while the process 
was fine. So that’s what led the administration, back in 1995, ap- 
parently, to make the judgment that they should back off on the 
requirement for the reporting part of it. I think the pendulum, as 
he said, did swing too much the other way and now we’re back, and 
with a different focus. The documentation requirement is there, but 
it’s more an inculcation of the culture rather than a paper process. 
So there’s a huge difference. 

Mr. Platts. Maybe we can explore in that difference, because a 
big part of the audit is compliance with all the laws and regula- 
tions of each department and agency. Would it be logical to require 
your Department’s auditor to get an opinion on compliance with 
FMFIA and how would that opinion differ from an actual opinion 
on your internal controls? 

Mr. Steinhoff. Yes, FMFIA requires management to have an 
evaluation process that meets the guidelines that are established 
by 0MB. If you are going to give an opinion on that, you would ba- 
sically say whether or not management was assessing its controls 
in some orderly manner that made sense, was in a position to put 
its assurance statement together, and had in fact rendered the re- 
port that the law required it to render. You wouldn’t, though, be 
giving an opinion on the controls themselves. You would be giving 
an opinion on the process they followed. 

Going back, and I apologize for being back here a minute late. 

Mr. Platts. I was quick. 

Mr. Steinhoff. You were very quick. In looking at the 1982 act, 
you really had such a steep learning curve that agencies didn’t 
know what to do. But they had to immediately be doing something. 
There was this tremendous cry for a lot of specific guidance. So 
what you had was in-depth guidance that would be used by an 



68 


auditor to do a vulnerability assessment or internal control review, 
massive training and a lot of very specific things. 

It really drove people to just generate lots of paper to be trying 
to comply with a very rigorous evaluation process for which they 
did not understand the principles undergirding it. You had entities 
that might have 30,000 or 40,000 assessable units and each unit 
would apply an assessment guide. Then they would roll it up at all 
these levels. It just became a blizzard of paper. 

My job for about 10 years was overseeing all this. It got worse 
and worse as people became more sophisticated in the process. It 
really took hold. They worked very hard. I would give them an A 
for effort. But we ended up with too much paper, and finally that 
pendulum swung and 0MB basically said, forget the whole thing. 
I think it fell off the radar screen around 1995. Now it’s back on, 
which I think is very positive. 

Mr. Platts. Secretary Burnham, did you have something you 
wanted to say? 

Mr. Burnham. No, I just, while you left the room, I got into a 
little bit of hot water with my colleagues. They said I was jumping 
the gun. 

Mr. Platts. On the 2 to 3 years? [Laughter.] 

Mr. Burnham. They didn’t use the word showboat, but — [laugh- 
ter] — we have a great team at State that was there long before I 
got there. But we have priorities. Our No. 1 priority is building a 
global financial platform and integrating six legacy data bases into 
one legacy data base and building that across 171 different coun- 
tries and 150 different currencies. That’s our premier goal, building 
a global financial management system. 

Getting an independent audit of our internal controls is some- 
thing we certainly want to do, certainly want to work toward, 
whether or not in a scarce resource environment like the one we’re 
heading toward, and with the responsibility that you and other 
members of this committee and Congress hold to get the deficit cut 
in half for the next few years and then eliminated. 

If we can do all of this, these are certainly things we want to do. 
So that’s certainly the direction we’re trying to head. 

Mr. Platts. With all due respect, I know at least one or more 
of your fellow witnesses here are military veterans as well. I think 
that’s the can-do attitude of the Marine in you coming out, that 
we’re just going to get it done. And that’s a good thing. 

I think file point you just made about the scarce resource envi- 
ronment in which we’re in is all the more why making sure we get 
it right on internal controls needs to be a priority. We talked last 
week with the Comptroller General about the $45 billion, OMB’s 
estimate, best possible, which doesn’t include all departments and 
agencies, of the improper payments. As we get ready in Januaiy 
2006 to begin the new Medicare prescription drug plan that is 
going to cost somewhere in the $50 billion or $60 billion a year 
range, we can fix our internal controls, especially at DOD and some 
of the larger agencies. Medicare itself It goes a long way to paying 
that commitment on prescription drugs without new money, but 
just with the money we have, but better accounting and use of it. 

So even in scarce resources, I know it’s going to be challenging 
to come up with these dollars for the additional cost. But it’s all 



69 


the more why we need to do it. But your message is still well 
heard. I have said many times, I’m not an appropriator. All of us 
wish we were. If I could wear my oversight hat and my appropria- 
tion hat, it would be a perfect match, although that would not be 
a good internal control probably. [Laughter.] 

So I need somebody watching me. 

I want to actually take up where I got off track here. With 
FMFIA, from the management attestation requirement there, is 
that in your opinion, both from the Department and GAO, fulfill 
the new Circular requirement of attestation on your internal con- 
trols, if you do go through what’s required under FMFIA? 

Mr. Steinhoff. Yes. 

Mr. Platts. So is there a belief that we need to do anything from 
a statutory standpoint with the act itself to strengthen it, to kind 
of dovetail with what 0MB has done through the administrative 
process? 

Mr. Steinhoff. No, because the act envisioned that 0MB would 
issue the guidance and would lay out how to assess and report. 

Mr. Platts. So to maintain that discretion? 

Mr. Steinhoff. Yes. 

Mr. Platts. OK. I’m always an optimist, that when we lay out 
our plans we are going to move forward and achieve them and 
strive to our best ability to do so. But given that 20 year history, 
Mr. Steinhoff, you have recounted it well in your testimony, both 
written and here today, of FMFIA from 1982 through the 1980’s 
and mid-1990’s and basically kind of like, it’s not working. Well in- 
tended, but we didn’t get the results. 

Why would you believe that we should be more optimistic this 
time, that we are really going to get it right and do what we’re all 
setting out to do, and wy shouldn’t we be? Is there a reason we 
should not be optimistic? 

Mr. Higgins. I think 20 years ago there was a lack of apprecia- 
tion for the importance of internal control. Since that time, there 
has been a lot of emphasis given to financial reporting, financial 
statement audits. There is a better understanding of the need for 
that. Plus, we have had some terrible situations in the private sec- 
tor that brings it to everybody’s mind. 

I think the revisions to the new A-123 would do a lot. It lays out 
management’s responsibility, it gives specific guidance into what 
they should do for the financial statement part of the reporting. So 
I think that we should wait and see. 

Mr. Platts. Kind of the silver lining in some of the bad occur- 
rences of ENRON and WorldCom is that it’s raised the level of 
scrutiny and the priority of this issue? 

Mr. Higgins. Absolutely. I mean, in my department alone, there 
has been a tremendous amount of improvement in the last 4 or 5 
years. The Student Financial Aid Office just got taken off the high 
risk list. 

Mr. Steinhoff. And I think in looking at it, there were some 
very positive by-products of FMFIA in the early years. It did drive 
internal control down to the lowest level. There were literally thou- 
sands and thousands of small control tweaks at those lower levels. 
And agencies did a lot, some maintained it, some perhaps did not. 
But they did a lot to document their underlying systems. There has 



70 


been a lot done with the passage of the CFO Act to document the 
underlying accounting systems and those operations, which really 
is a great jump start to revitalize FMFIA. 

So I think in some respects, as I mentioned before, we are ahead 
of the private sector going in. We have some tremendous chal- 
lenges. We have a different level of accountability, and our account- 
ability is much more visual to the average person when they don’t 
get their benefit check or the Government does something wrong. 
But I think there is that appreciation. I also believe you have a dif- 
ferent type of manager in Government today and you have a set 
of, a cadre of highly qualified CFOs, which you did not have back 
in 1982. That was kind of an afterthought that was added to some- 
one’s title, and they really didn’t focus on internal control. 

Mr. Platts. I share that belief as well, in the CFO Act. It’s one 
of the reasons we pushed for Senate confirmation of the DHS CFO, 
was to ensure we didn’t regress. We have established a high stand- 
ard for our CFOs, and to ensure that scrutiny does occur, because 
we do want that mind set that’s changed to continue and not go 
the other way. 

Mr. Wolff. Sir, I fully concur with what my colleagues have 
said. Certainly the financial environment today is substantially dif- 
ferent in many ways from the way it was back in the 1980’s. I was 
around back in those days, too. It is a totally different way of doing 
things. There is far more emphasis on doing things the way the 
private sector does them and lifting best practices from the private 
sector and applying them appropriately in Government. 

But probably more important than that is, for reasons I’m not 
quite certain I understand, the folks that are doing all the hard 
work on this internal controls review and documentation are seeing 
the value of doing it. So you are institutionalizing something that 
is essential to begin with. I think that is going to be the key to the 
success of this, that people are actually seeing the benefit of what 
they are doing. 

Mr. Platts. I think when I caught my breath I remembered the 
question I wanted to followup with when we were talking about the 
cost of doing it. This kind of relates to Secretary Wolff, the value 
of doing it. 

Now at State, Secretary Burnham, you’re looking at, say, $4.5 
million extra to get your Department in place to do the internal 
audit and move forward from there, which is going to be out of, in 
essence, your portion of State’s money that you are given. Is there 
any discussions, dialog at the senior level in State, or Commerce 
or Education, that there is an incentive to do it? I’ll give you an 
example, with Homeland Security. Last year, as we were pushing 
for my legislation, there was a report about within the Transpor- 
tation Security Administration, I forget how many tens of millions 
of dollars of overruns regarding, I think it was screening equip- 
ment or something, because of lack of good internal controls. 

So even if they had spent $10 million in making sure their inter- 
nal controls were up to par, they would have come out way ahead 
as a Department whole. But to the IG or financial management 
sector of DHS, they spent more money. In other words, if by doing 
this audit you are able to identify savings that those savings accrue 



71 


to your office within the Department to help pay for the cost, are 
there any discussions of that nature? 

Mr. Burnham. We do have discussions of that nature, although 
I think long term, the State Department is going to get savings 
from other areas, such as the 21st century technology platform, 
such as fulfilling the President’s vision of competitive sourcing, the 
PMA agenda item on competitive sourcing. I think this is going to 
be far more beneficial to the State Department and to the Amer- 
ican taxpayer, at least in our case. 

And as of now, I would certainly say we are going to have to find 
the money to get us to a level of testing and documentation. Al- 
though I would not say that the goal of getting to a place where 
we can receive and be comfortable that we are going to receive a 
clean opinion on an independent audit of our internal controls is 
anything different from what we had planned to do before Circular 
A-123 Appendix A. In other words, I think that, as my colleagues 
today have outlined, it’s a new environment than it was 20 years 
ago. It’s a new environment than it was 4 years ago. And reflecting 
that, we have changed our focus and are trying to grow with it. 

Mr. Platts. And with the suggestion in my question about shar- 
ing of the benefits, there is a little bit of caution there, because 
there would be a little bit of a gotcha, if one part of State finds 
wrongdoing by another part, you get the benefit of that savings, 
which could create some internal battles or tension. But it’s some- 
thing that when we are looking to how to pay for this renewed ef- 
fort, there are going to be benefits reaped. 

The example my staff shared with me in my memory is, the total 
contract was $18 million, and the question here of which $9 million 
was not able to be accounted for by the Department. And originally 
it was only a $4 million score to begin with. So it escalated dra- 
matically and then couldn’t be accounted for in the end, half of 
what that escalation was. So obviously it would have been a De- 
partment-wide benefit to having better controls in place. So some- 
thing to perhaps look at as you are looking for money. Because you 
rightfully acknowledge it’s going to be hard getting additional dol- 
lars from Congress, given the fiscal challenges we are facing as a 
Nation. 

Mr. Burnham. Mr. Chairman, I believe you are referring to the 
Iraqi money, not the IRRF money. 

Mr. Platts. This is in TSA here, stateside. 

Mr. Burnham. OK. 

Mr. Platts. Yes, not within State, but within Homeland Secu- 
rity. 

Mr. Higgins. From the IG’s perspective, the community certainly 
thinks this is like apple pie. But the highest people in the Depart- 
ment of Education clearly recognize that we bring back through our 
recommendations and work more than we cost the Government. 
But these unfunded mandates are killing us. In my office alone, in 
1996, we were at 368 people. Today we are at 285. That’s almost 
an 80 person FTE reduction because of the cost of the financial 
statement audit, and the cost of doing business. So we’re getting 
fewer people and more responsibility. So it is a concern of the IG 
community. 

Mr. Platts. As we demand more, we give you less. 



72 


Mr. Higgins. Well, you actually give us more, but it doesn’t cover 
the bill. It’s sort of like my home budget. [Laughter.] 

Mr. Wolff. May I comment, Mr. Chairman? 

Mr. Platts. Yes, Secretary Wolff. 

Mr. Wolff. I would just like to make sure that my record is 
clear here. I strongly support this review. We are eating internally 
in each of our bureaus the costs of doing the reviews and the docu- 
mentation. My concern is that the annual audit opinions are going 
to increase costs considerably. That’s quite different from doing the 
work that we are doing under A-123. We are going to be doing the 
work, and monitoring the progress. The IG is going to be watching 
what we are doing as are GAO and your committee and a host of 
other folks. 

It’s rendering the audit opinion by one of the big four where we 
run the risk of giving them a blank check, quite frankly. 

Mr. Platts. Point well made. It is something that we need to be 
smart about how we do this and not create a new problem as we 
try to fix an old one. 

Mr. Steinhoff. Mr. Chairman, I would say that I agree that the 
process has to be well managed and expectations should be well 
managed. It has to be done in a very smart manner. That’s why 
we see some kind of phased approach to opinions on internal con- 
trol, when it makes sense for an agency. 

I want to add another perspective on control which I think bene- 
fits from really exploring one’s controls. In some areas, frankly, 
there’s too much control. I’ll give you an example. We did a review 
a few years ago where we benchmarked what were the travel poli- 
cies for best practice companies. And they would have anywhere 
from 8 to 15 pages of rules. They would enforce those rules. If you 
broke the rule, you were no longer employed there. 

We compared that to DOD; we worked with DOD on this in a col- 
laborative effort. They had 1,357 pages of travel rules at that time. 
They were accounting for every nickel and dime. They had to have 
people there to help people fill out the vouchers. And they went 
through a major process to streamline and knock out pages and 
pages of rules. There were unnecessary controls. Probably every 
time something went wrong over 50 years, they added another re- 
quirement. They went through and they just simplified it. They got 
some legislation and no longer do you have to have a cab receipt 
for $5. You have to trust the person if it’s less than $75.00, and 
just change the whole accountability approach. 

We did another review where we found horrendous controls over 
property, but at the same time, we found millions of accounting 
transactions that Defense was processing, thinking they were pro- 
viding more accountability. Those accounting transactions actually 
were dropping the items from visibility. So there was a tremendous 
expense to process all those transactions. And those transactions 
were worsening control. 

So when someone gets down there and starts kicking the tires, 
and gets down there in the weeds, I think they will find as a by- 
product there are ways to streamline and simplify. Agencies should 
be allowed to look at things in a cost beneficial manner, not spend 
$1.10 to save $1. 



73 


Mr. Platts. That’s something that, this committee, we share 
that perspective, with those 1,357 pages of travel rules, they prob- 
ably had about 100 different systems to monitor compliance with 
them, too, given the number of systems over there at DOD. 

Mr. Steinhoff. Yes. 

Mr. Platts. But that point is something that, will be something 
we are going to pursue as a committee on the financial manage- 
ment laws, is that we have added over the last 20 plus years nu- 
merous laws. And part of our efforts, we have stated as a sub- 
committee this session, is to try to streamline all those laws to 
make them more efficient, that you can comply, as our Federal fi- 
nancial managers out there, a little easier on the financial manage- 
ment community to know that you are in full compliance with what 
Congress is expecting of you. 

So as we said last week, and will say again today, we will be 
looking for great insights from CFO Council, from the PCIE, from 
GAO as we move forward in that streamlining process. 

I want to just maybe touch on one last issue here from the audit- 
ing process. Inspector General Higgins, we had your colleague, the 
CFO at Education, here last week, we talked about the continuous 
auditing process, and how, because of Sarbanes-Oxley and the pri- 
vate sector more of a year-round engagement rather than end of 
the year run, or sprint, I would be interested in each of your De- 
partment’s perspective. My understanding is at Education that is 
kind of more the norm, where you are starting in Eebruary or so, 
leading up to the end of the year, rather than waiting for the last 
couple of months. 

Where is Commerce, State? I want to make sure I’m accurate 
with Education. And then Jeff, from a broad perspective, your fa- 
miliarity with others. What is the norm out there now and is this 
a good idea that we see in the private sector, that it is more a year- 
round process, hand in hand with your auditors? 

Mr. Wolff. We are getting close to having a year-round auditor 
presence. They left in IJecember and they are going to be back next 
week for their in-brief for the current fiscal year. I think it’s bene- 
ficial. I think it’s beneficial to have them there, quite frankly. The 
earlier they start, the easier it is to get all the problems that they 
may encounter out of the way by the end of the year. 

So that’s where we are, and I anticipate that we will be eventu- 
ally getting them regular office space. 

Mr. Burnham. Similar to State, thanks to the leadership of 0MB 
that required quarterly statements, of course. We now are around 
the clock, around the year producing the kinds of financials that 
are necessary to achieve OMB’s requirement. By the way, that’s 
also part of the PMA. So just getting to green in fulfilling the 
President’s vision is also part of that. 

Our own audit started last month. We will continue to press on 
to November 15th of this calendar year. 

Mr. Platts. OK. Thank you. 

Mr. Higgins. You are correct about Education. I do think it is 
a benefit. I mean, as issues come up during the year, they are 
there and they know about them in advance. So they are able to 
give more information while it is going on. I think it is a benefit. 



74 


Mr. Steinhoff. I think it is the norm for large entities. These 
are large entities, when you talk about the CFO Act agencies. 
That’s the norm. It’s got benefits on both sides. This is a real key 
to audit quality. This morning I participated in a forum that the 
Public Company Accounting Oversight Board held where there was 
lots of talk that the key to a good audit of a private sector corpora- 
tion, publicly traded company, is the auditor’s knowledge of the 
business. If you’re auditing Proctor and Gamble, you have to un- 
derstand the business. You have to understand their competitors. 
You have to be looking at things in that context and have a com- 
plete understanding of the business and how they operate. 

To successfully audit these large Federal entities, you have to 
have an understanding of the Federal Government, of the Federal 
environment and of the missions and programs and operations of 
that Department. So having auditors there full time year-round, is 
very beneficial to the auditor. For the financial audits that we con- 
duct, we are there year-round. We never leave IRS. That’s a huge, 
complex operation. We are there 12 months a year. 

Also, we work very hard to have continuity on that audit. We 
don’t put a new bunch of people on every year, when we rotate 
someone off, we bring them along and we have experienced people 
doing that work. They have to understand those processes, how 
those systems work over there, the complexity of the tax systems. 
Year-round is the only way to go. Small entity, that’s a different 
story. You can come in and out. 

Mr. Platts. The fact that we are more and more the norm being 
year-round I think is another reflection of that change in mind set 
and focus on these issues. I have had the benefit, as a new sub- 
committee chairman, last term, coming in following Steve Horn, 
who really took his responsibilities very seriously for this sub- 
committee’s oversight role and focusing on financial management. 
And I came into the Congress in 2000 with a President who has 
made good management a cornerstone of his administration 
through the President’s management agenda, which I’m trying to 
help keep pushing the ball in the right direction down the field as 
a newer chairman. 

One last thing, and for our two CFOs, kind of a little bit off the 
issue of internal controls. But it’s just a structural question, and 
I think Secretary Burnham, you mentioned earlier internally your 
work with CFOs of different offices, programs within the Depart- 
ment that you work with that are specific to one part of the De- 
partment. I was curious, within both your Departments struc- 
turally your oversight of those subordinate CFOs from a hiring re- 
view standpoint relates to another agency we are looking at and 
how you in the end are the one who is going to be responsible for 
the entire Department’s information. But what really direct inter- 
action do you have or oversight do you have of those subordinate 
CFOs? 

Mr. Wolff. Yes, sir, I can’t speak for Secretary Burnham, but 
I will say that at the Commerce Department, I personally interview 
each major bureau CFO before he or she is hired. My statutory 
deputy CFO also interviews them. My statutory deputy, Jim Tay- 
lor, who is sitting behind me here, also has 25 percent of their per- 



75 


formance evaluations each performance cycle, in consultation with 
me. 

Mr. Platts. Great. 

Mr. Burnham. I believe it was Secretary Wolff who mentioned 
that he had the CFOs in other parts of the Department of Com- 
merce. We don’t have CFOs, actually, elsewhere. I have a deputy 
CFO. But what we do have is financial management officers at our 
posts overseas. These are incredible men and women, the quality 
of these individuals, many of them certified public accountants that 
are now coming in, many of them in second careers that have come 
in from the private sector who want to join the Department, who 
want to go overseas and are fulfilling the role of Chief Financial 
Officer of an embassy. Some of these embassies are absolutely 
enormous. In Cairo, we have over 3,000 individuals, in Berlin, cer- 
tainly Baghdad is also going to be quite large. 

So just because we don’t call them a CFO does not mean that 
they are not. It is that individual embassy’s assurance statement 
that Ambassador must submit to my office annually. That is the 
backbone of the Secretary’s assurance statement and part of our 
overall review and existing internal control process, leading of 
course not only to mine, to the Secretary, but ultimately to the Sec- 
retary as reported in the Performance and Accountability report. 

Mr. Platts. You don’t have the same direct interaction on the 
interview process and review, given the number of posts out there, 
it sounds, as at Commerce? 

Mr. Burnham. Because of the uniqueness of the State Depart- 
ment, they are Foreign Service officers, thus they go through the 
hiring process of the Foreign Service. Then they do not report to 
me, they report to the Ambassador, who is the chief executive offi- 
cer, and as we know, the chief American in country, except when 
the President visits. 

Mr. Platts. OK. Inspector General Higgins, are you familiar 
with that structural oversight within Education? I didn’t think to 
ask Mr. Martin last week. 

Mr. Higgins. Actually, he was just here a little while ago. Jack 
reports directly to the Under Secretary or Deputy Secretary in the 
Department. I think that’s the appropriate line of reporting. 

Mr. Platts. As far as other subordinate CFOs, you’re not sure 
what 

Mr. Higgins. There are no other — well, there is a CFO at FSA — 
the PBO, at the Department of Education — ^but she reports to the 
COO of ESA. But there is a reporting relationship down at the 
CFO level to Jack’s office. It’s not real clear, actually. 

Mr. Platts. OK. Something I think that as we look at promoting 
greater internal controls, including in the management standpoint, 
because ultimately as we say, at Commerce you are responsible for 
those final or overall department financial management and having 
input, reviews and hiring input to who is running those operations 
at the subordinate level is, I think, very important. 

Mr. Wolff. Yes, sir. I just want to make sure I clarify, my col- 
league mentioned the PBO over there. We also have a PBO, which 
is the Patent and Trademark Office. I do not have 25 percent of 
their performance evaluation, nor do I interview their selectees for 
their financial positions over there, by law. 



76 


Mr. Platts. OK. Thank you. 

I think we touched on the issues we wanted to cover. I want to 
thank you again for your patience with me running in and out. As 
we go forward, we touched on two very important issues that both 
the Council and the President’s PCIE and CFO Council are going 
to play a role in that implementation of the new Circular and in 
that cost benefit, that joint study. We will look forward, as a sub- 
committee, working with all of you on that, as well as with GAO 
on this issue. 

I want to commend each of you for your efforts. I said as we had 
a staff briefing in anticipation of today’s hearing, one of the things, 
in reading your bios and your experience and the successor efforts 
at your respective departments or at GAO is, we want you to kind 
of finish that 2 or 3 year focus at State, do your work, and then 
we want to move you en masse over to DOD. [Laughter.] 

We’re going to put you to the next challenge. Because that cer- 
tainly is, as we heard last week, ultimately for the Federal Govern- 
ment as a whole, we can do great work, but eventually we have to 
take on that 600 pound gorilla that’s sitting out there. You are get- 
ting great experience and doing great work that we want to at 
some point have benefit that Department as well. 

So thank you for your testimony and your time today. We will 
keep the record open for 2 weeks for any additional information 
and submissions that you may have. This hearing stands ad- 
journed. 

[Whereupon, the subcommittee was adjourned.] 

o 



